5:13 p.m.
Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200:
On 26/01/12 18:20, David Jaša wrote:
> Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500:
>> +1 for the need.
>> I think we should give md5 or similar hashes,
>
> There is already file with md5 hashes in the repo but it has no meaning
> wrt attack prevention because it is not accessible via https, let alone
> HTTP Strict Transport Security so it can be mangled by attacker together
> with packages themselves.
>
Setting up https access is probably the way to go.
We can sign the hash file as well, but that's just for binaries.
>> and let distro's do the signing.
>>
>
> Distros take care of it during their package build process, no need to
> worry about that. But if we offer packages on our site, they should be
> also signed.
>
Actually, I just got the diff between our views;
Indeed when you distribute binaries, I agree you should sign it.
The thing is, I do not think we should distribute binaries. Fedora
should distribute ovirt RPM's, and other distro's should do the same
using their own packaging mechanisms. For example, Gentoo will look
for the sources tarball, and during the installation will d/l it,
compile and deploy according to the relevant (signed) ebuild.
This is why fundamental projects will give you such links:
http://www.x.org/releases/X11R7.6/src/
http://www.kernel.org/pub/linux/kernel/v3.x/
http://kde.mirrorcatalogs.com/stable/4.8.0/
You may also see rel-notes, change-log and doc's, but no binaries.
I'm aware of the fact many projects (postgres and others) provide
binaries as well, but my view is that this is the distro's task
to package & sign the binaries, and the project's task to provide
a stable release tarball of sources.
I think we agree more than it seems. IMO we should provide binaries of
just development versions of oVirt for widely-used stable distributions
which do not have better ways to create custom repos (like OpenSuse
Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a
good candidate, too.
David
> David
>
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
10:25 p.m.
New subject: package signing
On 30/01/12 16:13, David Jaša wrote:
Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200:
> On 26/01/12 18:20, David Jaša wrote:
>> Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500:
>>> +1 for the need.
>>> I think we should give md5 or similar hashes,
>>
>> There is already file with md5 hashes in the repo but it has no meaning
>> wrt attack prevention because it is not accessible via https, let alone
>> HTTP Strict Transport Security so it can be mangled by attacker together
>> with packages themselves.
>>
> Setting up https access is probably the way to go.
> We can sign the hash file as well, but that's just for binaries.
>
>>> and let distro's do the signing.
>>>
>>
>> Distros take care of it during their package build process, no need to
>> worry about that. But if we offer packages on our site, they should be
>> also signed.
>>
> Actually, I just got the diff between our views;
> Indeed when you distribute binaries, I agree you should sign it.
> The thing is, I do not think we should distribute binaries. Fedora
> should distribute ovirt RPM's, and other distro's should do the same
> using their own packaging mechanisms. For example, Gentoo will look
> for the sources tarball, and during the installation will d/l it,
> compile and deploy according to the relevant (signed) ebuild.
>
> This is why fundamental projects will give you such links:
> http://www.x.org/releases/X11R7.6/src/
> http://www.kernel.org/pub/linux/kernel/v3.x/
> http://kde.mirrorcatalogs.com/stable/4.8.0/
>
> You may also see rel-notes, change-log and doc's, but no binaries.
>
> I'm aware of the fact many projects (postgres and others) provide
> binaries as well, but my view is that this is the distro's task
> to package & sign the binaries, and the project's task to provide
> a stable release tarball of sources.
>
I think we agree more than it seems. IMO we should provide binaries of
just development versions of oVirt for widely-used stable distributions
which do not have better ways to create custom repos (like OpenSuse
Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a
good candidate, too.
David
That's good, but it looks like we put the carriage in front of the horses;
I mean that we work hard to produce RPM's (RC available), while there's
no simple https access to fetch tarballs with md5 (or whatever hash) file.
May we please add https://www.ovirt.org/project/downloads/ ?
It should include something like this:
|
\
-nightly (bleeding edge tarballs)
|
\
-latest-stable (current rc, and release when ready)
--
/d
"Email returned to sender -- insufficient voltage."
4680
days inactive
4680
days old
1 comments
2 participants
participants (2)
-
David Jaša -
Doron Fediuck