Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200:
> On 26/01/12 18:20, David Jaša wrote:
>> Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500:
>>> +1 for the need.
>>> I think we should give md5 or similar hashes,
>> There is already file with md5 hashes in the repo but it has no meaning
>> wrt attack prevention because it is not accessible via https, let alone
>> HTTP Strict Transport Security so it can be mangled by attacker together
>> with packages themselves.
> Setting up https access is probably the way to go.
> We can sign the hash file as well, but that's just for binaries.
>>> and let distro's do the signing.
>> Distros take care of it during their package build process, no need to
>> worry about that. But if we offer packages on our site, they should be
>> also signed.
> Actually, I just got the diff between our views;
> Indeed when you distribute binaries, I agree you should sign it.
> The thing is, I do not think we should distribute binaries. Fedora
> should distribute ovirt RPM's, and other distro's should do the same
> using their own packaging mechanisms. For example, Gentoo will look
> for the sources tarball, and during the installation will d/l it,
> compile and deploy according to the relevant (signed) ebuild.
> This is why fundamental projects will give you such links:
> You may also see rel-notes, change-log and doc's, but no binaries.
> I'm aware of the fact many projects (postgres and others) provide
> binaries as well, but my view is that this is the distro's task
> to package & sign the binaries, and the project's task to provide
> a stable release tarball of sources.
I think we agree more than it seems. IMO we should provide binaries of
just development versions of oVirt for widely-used stable distributions
which do not have better ways to create custom repos (like OpenSuse
Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a
good candidate, too.
That's good, but it looks like we put the carriage in front of the horses;
I mean that we work hard to produce RPM's (RC available), while there's
no simple https access to fetch tarballs with md5 (or whatever hash) file.
May we please add
It should include something like this:
-nightly (bleeding edge tarballs)
-latest-stable (current rc, and release when ready)
"Email returned to sender -- insufficient voltage."