[libvirt] Entering freeze for libvirt-1.2.21

Daniel Veillard veillard at redhat.com
Sat Oct 31 11:52:49 UTC 2015 

On Sat, Oct 31, 2015 at 11:40:22AM +0100, Guido Günther wrote:
> Hi Daniel,
> On Sat, Oct 31, 2015 at 02:01:54PM +0800, Daniel Veillard wrote:
> >   Hi Guido,
> > 
> > On Fri, Oct 30, 2015 at 10:00:41PM +0100, Guido Günther wrote:
> > > On Thu, Oct 29, 2015 at 03:28:51PM +0800, Daniel Veillard wrote:
> > > >   As pointed our on Tuesday it's time for a new release. I have tagged
> > > > the release candidate 1 in git and pushed signed tarball and rpms to
> > > > the usual place at:
> > > > 
> > > >    ftp://libvirt.org/libvirt/
> > > > 
> > > >   Based on my limited testing this works just fine, but that's very limited
> > > > and doesn't test portability at all, so please give it a try !
> > > 
> > > I'm having trouble verifying the signature:
> > > 
> > > $ gpg --verify libvirt-1.2.21-rc1.tar.gz.pgp libvirt-1.2.21-rc1.tar.gz
> > > gpg: Signature made Do 29 Okt 2015 07:41:52 CET
> > > gpg:                using DSA key 0x4606B8A5DE95BC1F
> > > gpg: please do a --check-trustdb
> > > gpg: BAD signature from "Daniel Veillard (Red Hat work email) <veillard at redhat.com>" [unknown]
> > > 
> > > while verifying e.g. 1.2.20 works as expected.
> > 
> >   Hum, where is libvirt-1.2.21-rc1.tar.gz.pgp coming from ? I only uploaded
> > libvirt-1.2.21-rc1.tar.gz.asc !
> 
> It's the same file. Debian's uscan just renames it after download.
> 
> > 
> >   that said indeed there is an issue with rc1 signing ...
> > 
> > [root at libvirt libvirt]# gpg2 --keyserver hkp://pgp.mit.edu --recv-keys DE95BC1Fgpg: requesting key DE95BC1F from hkp server pgp.mit.edu
> > gpg: /root/.gnupg/trustdb.gpg: trustdb created
> > gpg: key DE95BC1F: public key "Daniel Veillard (Red Hat work email) <veillard at redhat.com>" imported
> > gpg: no ultimately trusted keys found
> > gpg: Total number processed: 1
> > gpg:               imported: 1
> > [root at libvirt libvirt]# gpg --verify libvirt-1.2.20.tar.gz.asc libvirt-1.2.20.tar.gz
> > gpg: Signature made Fri 02 Oct 2015 01:12:08 PM CEST using DSA key ID DE95BC1F
> > gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard at redhat.com>"
> > gpg:                 aka "Daniel Veillard <Daniel.Veillard at w3.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
> > [root at libvirt libvirt]# gpg --verify libvirt-1.2.21-rc1.tar.gz.asc libvirt-1.2.21-rc1.tar.gz
> > gpg: Signature made Thu 29 Oct 2015 07:41:52 AM CET using DSA key ID DE95BC1F
> > gpg: BAD signature from "Daniel Veillard (Red Hat work email) <veillard at redhat.com>"
> > [root at libvirt libvirt]#
> > 
> >   I verified, the libvirt-1.2.21-rc1.tar.gz.asc present on libvirt server is
> > the same that I have left in my working dir of the machine where I assembled
> > the release.
> >   On the other hand libvirt-1.2.21-rc1.tar.gz diverges
> > 
> > thinkpad2:~/libvirt -> sha256sum libvirt-1.2.21-rc1.tar.gz
> > 3cc9f2882a145562ee41b8369a8c3d1cb0f383fe13c3e39ac923f712bf8614d0  libvirt-1.2.21-rc1.tar.gz
> > thinkpad2:~/libvirt ->
> > 
> > and 
> > 
> > [root at libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz
> > 00cce64d4eb906f294921effab7b0128dbded46da614f9d88681abdb80af0ae2  libvirt-1.2.21-rc1.tar.gz
> > [root at libvirt libvirt]# 
> > 
> >   I remember that I interrupted the rsync when pushing the release and restarted
> > it this may have introduced that divergence, I reuploaded the rc1:
> > 
> > [root at libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz
> > 3cc9f2882a145562ee41b8369a8c3d1cb0f383fe13c3e39ac923f712bf8614d0  libvirt-1.2.21-rc1.tar.gz
> > [root at libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz.asc
> > 9bfb1fe53c5d1457d5bc6a4f7ce4661ad925210f9ab2708bd0c523accf16f5e5  libvirt-1.2.21-rc1.tar.gz.asc
> > [root at libvirt libvirt]# gpg --verify libvirt-1.2.21-rc1.tar.gz.asc libvirt-1.2.21-rc1.tar.gz
> > gpg: Signature made Thu 29 Oct 2015 07:41:52 AM CET using DSA key ID DE95BC1F
> > gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard at redhat.com>"
> > gpg:                 aka "Daniel Veillard <Daniel.Veillard at w3.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
> > [root at libvirt libvirt]# 
> > 
> >   and that version is fine,
> 
> Indeed. With the new tarball it verifies correctly. Thanks!

 Good, and after verifications the old one was really broken:

thinkpad2:/tmp -> tar xvzf libvirt-1.2.21-rc1.tar.gz.broken
....
libvirt-1.2.21/po/hi.po

gzip: stdin: unexpected end of file
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
thinkpad2:/tmp ->

  So it's a case of restarting an rsync -P after an user interruption where
the copied file ends up being corrupted, there is a bug somewhere but nothing
malicious :-)

Daniel

> Cheers,
>  -- Guido
> 
> > 
> >    thanks for the heads-up !
> > 
> > Daniel
> > 
> > -- 
> > Daniel Veillard      | Open Source and Standards, Red Hat
> > veillard at redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
> > http://veillard.com/ | virtualization library  http://libvirt.org/
> > 

-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard at redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list