[libvirt] Entering freeze for libvirt-1.2.8

Daniel Veillard veillard at redhat.com
Thu Aug 28 08:11:02 UTC 2014 

On Thu, Aug 28, 2014 at 09:25:22AM +0200, Richard Weinberger wrote:
> Am 28.08.2014 09:14, schrieb Daniel Veillard:
> > On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
> >> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard at redhat.com> wrote:
> >>>   So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
> >>
> >> Can you please sign the tarball too?
> > 
> >   Well, the source rpm is signed, you can check it and it contains the
> > tarball, so technically there is already a signed source out there.
> > Signing a tarballl means putting out an additional file and keeping
> > it forever, I could do that but hum ....
> 
> So everyone how wants to build libvirt from source and cares about data
> integrity has to unpack/verify the rpm?

  Assuming you already loaded my key with rpm --import from what I make
available on http://veillard.com/

  one download, and 2 automated rpm commands
wget ftp://libvirt.org/libvirt/libvirt-x.y.x-1.*.src.rpm

 even if you got DNS poisoning here, the following step would fail
that key wasn't 
rpm -K libvirt-x.y.x-1.*.src.rpm
rpm -i libvirt-x.y.x-1.*.src.rpm

  use the tar.gz in confidence

> Signing tarballs is nothing new nor rocket science.
> In times where the NSA tries to f*ck everyone at least some basic
> cryptographic arrangements should be applied.

  Give me a mechanism where one can do that checking as fast and in
a completely automated way and I  implement it :-)

> I know other projects are sloppy regarding signed releases too, this does
> not mean that libvirt should follow their bad example.

  I have not been sloppy, I have signed all the sources rpms from day 0
I also sign the corresponing git commits. The main issue is having a
clear, simple and failure proof process of checking a chunk of data
produced by the release. rpm has provided that for 15+ years. All the
alternatives I know require some human checking either by comparing
long strings of data or else.

> Come on... :-)

  I would return that TBH, come on people didn't provide something
completely automatable and human error proof to do this outside of
rpm. I'm willing to be educated if it's there, and add this to my
own process.

  I'm serious, I'm ready to add extra steps if I believe they are
automatable and human-error proof ! Show me the way :-)

Daniel

-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard at redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list