Regarding QA
Todd
Freedom_Lover at pobox.com
Fri Feb 6 08:53:45 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eric Rostetter wrote:
> * how do you know what packages to test (only with slocate was it
> announced on the list, before that you had to know where to look,
> remember to look, etc)
[Jesse and others more in the know will hopefully chime in here, but
since I'm replying to answer some of the gpg questions you have, I
might as well take a stab at some of the others. If it saves someone
else from having to type it up, that'll be great.]
The Legacy Devel Tracker link on the home page points you where you
want to start: http://www.fedora.us/LEGACY
There you'll find the wonders up bugzilla and a list of all the
current issues that need attention.
> * If you don't know how to use the package, how do you know if it
> works? (so I can't help test apt if I don't have any docs on how to
> use it, etc)
It's certainly difficult if you haven't a clue about an app. Usually
though, you can take a peak at the man page and figure out the basic
operations and test those. Ideally, someone that uses a package or is
familiar with it will be more likely to get on doing QA for that
package than you will. At least, that's the idea. So far, the apt
package is proving that's not always how it works. :)
> * Once I see it works, how do I report that it works?
Follow along on some of the other bug reports and see how those are
done. That helps. It's a new process for me, I'm trying to keep my
eye's open and learn as much as possible from watching and reading.
If you end up with a specific question, like, "I was looking at
package fubar-1.1-1.legacy.src.rpm and it doesn't build right for me
without package baz-devel, what should I do?" Just ask and someone
will help out.
> * How do I verify I'm testing the correct package (gnupg signature
> checks, etc)
The gpg check is the one I prefer to use. The Fedora.us wiki's
suggest gpg signed md5 hash files to go along with the uploaded
packages and most of the packages submitted so far for FL have done
this, though I have to wonder what the point is. If you check the gpg
signature of the md5 file and then use the md5 file to check the
packages, you might as well just use gpg to check the packages
directly. (Hope that didn't leave you more confused than you were
before.)
For example, say you're going to QA apt (cause everyone wants to),
you'd find it in bugzilla and look at the entries there. You see that
in Jason's latest comment there he's linked these two files:
https://mail.codegrinder.com/www/apt4/md5sum.asc
https://mail.codegrinder.com/www/apt4/apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm
Download them both. Then run rpm --checksig -v (or just -Kv if you're
lazy like me) on the rpm file. Assuming you already have Jason's key
(and you probably don't yet, but we'll get to that later), you should
get output like this:
$ rpm --checksig -v apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm
apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm:
MD5 sum OK: bbb702d9ed7f07f26be25f1f4099146c
gpg: Signature made Thu 29 Jan 2004 12:49:32 AM EST using DSA key ID 9B643F0D
gpg: Good signature from "Jason Rohwedder <rohwedde at codegrinder.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0AA1 6522 AD40 FB05 EFB3 2344 C364 0463 9B64 3F0D
You could also use the md5sum file. To do that you'd check the gpg
signature on it first:
$ gpg --verify md5sum.asc
gpg: Signature made Thu 29 Jan 2004 12:56:44 AM EST using DSA key ID 9B643F0D
gpg: Good signature from "Jason Rohwedder <rohwedde at codegrinder.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0AA1 6522 AD40 FB05 EFB3 2344 C364 0463 9B64 3F0D
If the gpg sig checks out, use the md5sum program to verify the md5
hash of the rpm you downloaded against the hash stored in the md5sum
file:
$ md5sum -c md5sum.asc
apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm: OK
> * How do I get a gnupg signature? Do I need to register it
> somewhere? how? Where?
The signatures are what you'll find in the text of the bugzilla
entries and in .asc files. These signatures are also embedded in rpm
packages as well. Don't worry too much more about this part at the
moment.
> * How do I sign a message? What does cleartext sign mean? etc.
To sign a message, you would save it as a file, say you call it
slocate-QA. Then run:
$ gpg --clearsign slocate-QA
[you'll be prompted for your passphrase and then the file will be
signed]
You will now have another file, slocate.QA.asc. You would then copy
the contents of that file and paste them into bugzilla.
When you clearsign a message, it means that the message is still
readable to others even without using the gpg software to decode it.
That's what you see when a message has BEGIN PGP SIGNED MESSAGE, BEGIN
PGP SIGNATURE, and END PGP SIGNATURE.
[One thing to be careful of here, bugzilla's text entry box will wrap
text (I don't know at what width exactly) and if it does this, your
gpg signature will be broken. That's one of the things about
signatures, they really work. Any change to a message, no matter how
slight, will invalidate the signature. So just wrap the text you plan
to clearsign before you post it to bugzilla. Keeping it under 80
characters is sufficient as far as I can tell.]
> But I don't have a gpg key. How do I get one?
Simple enough. Use gpg to create one:
$ gpg --gen-key
and follow the prompts. The defaults should all be fine. Just put in
your name and your email address and pick a good passphrase.
At the end of the process, there will be some lines that look similar
to this:
pub 1024D/86182970 2004-02-06 Just A. Test <justa at test.com>
Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970
sub 1024g/76AC068B 2004-02-06
Take note of the string of letters and numbers after the pub 1024D.
This is your keyid. In this case, that's 86182970.
> Is there anything I need to know about getting a key (size, type,
> content, etc)?
You could spend a long time studying the OpenPGP spec and the pros and
cons of the various algorithms, but you don't need to. The defaults
will work just fine.
> How should I protect it once I have it?
The two main method's of protecting your key are your file system
security and the passphrase. You want to keep anyone from stealing a
copy of your secret key. If someone does manage such a thing, they
still have to guess your passhphrase in order to use the key to do
anything nasty. So keep your system secure and choose a strong
passphrase.
Also, it's best to generate a revocation certificate. This is
something that can be used in case you ever lose your key, forget your
passphrase, or find that someone has compromised your system and
stolen your key. That's done by running:
$ gpg --gen-revoke $USERID
replacing $USERID with the keyid from when you generated your key.
Follow the prompts, enter your passphrase, and save the output
someplace safe, like on a CD.
(Note that you can also specify $USERID using your email address, see
the section titled "How to specify a user ID" in the gpg man page for
more details about this if you;re curious.)
Finally, you should upload your key to a keyserver. The Fedora.us
docs suggest pgp.mit.edu, so we'll stick with that one:
$ gpg --keyserver pgp.mit.edu --send-key $USERID
To download the keys of other users, you can use:
$ gpg --keyserver pgp.mit.edu --recv-keys $THEIR_KEYID
When people post a self introduction to the list, it should include
some information about their gpg key. The output of this command is
what you want to send:
$ gpg --fingerprint $USERID
It looks like this:
$ gpg --fingerprint 86182970
pub 1024D/86182970 2004-02-06 Just A. Test <justa at test.com>
Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970
sub 1024g/76AC068B 2004-02-06
Other sources of information that might prove useful to you are the
gnupg.org website, the fine manual that comes with gpg, the Fedora.us
Self Introduction wiki and the Fedora GPG mini-HOWTO, which is just
post Warren made to the fedora-devel list a while back trying to get
some documentation started. You'll notice since there isn't a handy
HOWTO to send you to that this documentation has yet to be written,
AFAIK.
Sorry for the verbosity. It seems hard to even begin to cover gpg in
such a short amount of space. I did a slightly more detailed, though
still pretty minimal presentation for a local LUG a while back. That
was mainly focused on using gpg for securing email, but a lot of it
should be somewhat relevant to anyone just starting with gpg. A copy
of that presentation is available at:
http://pobox.com/~tmz/cplug/encryption-howto/siframes.html
I hope this helps a little. I know that gpg can seem like a lot to
take in at once. It's been an interest of mine for a long time, so
that was at least one thing I didn't have to learn in order to get
started trying to help out here.
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Those who have been intoxicated with power... can never willingly
abandon it.
-- Edmund Burke
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iD8DBQFAI1YZuv+09NZUB1oRAnBxAKC7f7rPB8v1gTvQjz822MhSOcZ40QCgkip4
EN6rNO84yH1gTlHknsrTM1s=
=w3CU
-----END PGP SIGNATURE-----
More information about the fedora-legacy-list
mailing list