On Thu, Aug 28, 2014 at 09:25:22AM +0200, Richard Weinberger wrote: > Am 28.08.2014 09:14, schrieb Daniel Veillard: > > On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote: > >> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@xxxxxxxxxx> wrote: > >>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms > >> > >> Can you please sign the tarball too? > > > > Well, the source rpm is signed, you can check it and it contains the > > tarball, so technically there is already a signed source out there. > > Signing a tarballl means putting out an additional file and keeping > > it forever, I could do that but hum .... > > So everyone how wants to build libvirt from source and cares about data > integrity has to unpack/verify the rpm? Assuming you already loaded my key with rpm --import from what I make available on http://veillard.com/ one download, and 2 automated rpm commands wget ftp://libvirt.org/libvirt/libvirt-x.y.x-1.*.src.rpm even if you got DNS poisoning here, the following step would fail that key wasn't rpm -K libvirt-x.y.x-1.*.src.rpm rpm -i libvirt-x.y.x-1.*.src.rpm use the tar.gz in confidence > Signing tarballs is nothing new nor rocket science. > In times where the NSA tries to f*ck everyone at least some basic > cryptographic arrangements should be applied. Give me a mechanism where one can do that checking as fast and in a completely automated way and I implement it :-) > I know other projects are sloppy regarding signed releases too, this does > not mean that libvirt should follow their bad example. I have not been sloppy, I have signed all the sources rpms from day 0 I also sign the corresponing git commits. The main issue is having a clear, simple and failure proof process of checking a chunk of data produced by the release. rpm has provided that for 15+ years. All the alternatives I know require some human checking either by comparing long strings of data or else. > Come on... :-) I would return that TBH, come on people didn't provide something completely automatable and human error proof to do this outside of rpm. I'm willing to be educated if it's there, and add this to my own process. I'm serious, I'm ready to add extra steps if I believe they are automatable and human-error proof ! Show me the way :-) Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list