package signing
Doron Fediuck
dfediuck at redhat.com
Mon Jan 30 19:25:03 UTC 2012
On 30/01/12 16:13, David Jaša wrote:
> Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200:
>> On 26/01/12 18:20, David Jaša wrote:
>>> Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500:
>>>> +1 for the need.
>>>> I think we should give md5 or similar hashes,
>>>
>>> There is already file with md5 hashes in the repo but it has no meaning
>>> wrt attack prevention because it is not accessible via https, let alone
>>> HTTP Strict Transport Security so it can be mangled by attacker together
>>> with packages themselves.
>>>
>> Setting up https access is probably the way to go.
>> We can sign the hash file as well, but that's just for binaries.
>>
>>>> and let distro's do the signing.
>>>>
>>>
>>> Distros take care of it during their package build process, no need to
>>> worry about that. But if we offer packages on our site, they should be
>>> also signed.
>>>
>> Actually, I just got the diff between our views;
>> Indeed when you distribute binaries, I agree you should sign it.
>> The thing is, I do not think we should distribute binaries. Fedora
>> should distribute ovirt RPM's, and other distro's should do the same
>> using their own packaging mechanisms. For example, Gentoo will look
>> for the sources tarball, and during the installation will d/l it,
>> compile and deploy according to the relevant (signed) ebuild.
>>
>> This is why fundamental projects will give you such links:
>> http://www.x.org/releases/X11R7.6/src/
>> http://www.kernel.org/pub/linux/kernel/v3.x/
>> http://kde.mirrorcatalogs.com/stable/4.8.0/
>>
>> You may also see rel-notes, change-log and doc's, but no binaries.
>>
>> I'm aware of the fact many projects (postgres and others) provide
>> binaries as well, but my view is that this is the distro's task
>> to package & sign the binaries, and the project's task to provide
>> a stable release tarball of sources.
>>
>
> I think we agree more than it seems. IMO we should provide binaries of
> just development versions of oVirt for widely-used stable distributions
> which do not have better ways to create custom repos (like OpenSuse
> Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a
> good candidate, too.
>
> David
>
That's good, but it looks like we put the carriage in front of the horses;
I mean that we work hard to produce RPM's (RC available), while there's
no simple https access to fetch tarballs with md5 (or whatever hash) file.
May we please add https://www.ovirt.org/project/downloads/ ?
It should include something like this:
|
\
-nightly (bleeding edge tarballs)
|
\
-latest-stable (current rc, and release when ready)
--
/d
"Email returned to sender -- insufficient voltage."
More information about the Board
mailing list