Re: Fedora Source-git SIG report #1 (June 2021)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 6/25/21 à 2:51 PM, Neal Gompa a écrit :

On Fri, Jun 25, 2021 at 3:43 AM Zbigniew Jędrzejewski-Szmek
<zbyszek@xxxxxxxxx> wrote:


On Fri, Jun 25, 2021 at 03:49:23AM +0000, Dan Čermák wrote:



On June 24, 2021 9:22:51 PM UTC, "Miro Hrončok" <mhroncok@xxxxxxxxxx> wrote:

On 24. 06. 21 23:07, Miroslav Suchý wrote:

Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a):

One thing to consider is that the upstream tarballs might be

cryptographically

signed and packages should verify the signature in %prep.

This is a very good point - in such a case, we should always pull

the

official upstream tarball instead of generating a new one downstream


Does it matter? If you are able to generate byte2byte identical

tarball then

you can choose any of them.


AFAIK git does not grantee to produce byte2byte identical archives
across
different versions of git, zlib, gzip etc. So even if upstream signs
the git
generated archive, generating a byte2byte identical one might be
tricky.


Especially with xz, which iirc has reproducibility issues in parallel mode.


I think we should try to push upstream to sign git tags, instead or in
addition to tarballs. For upstreams, this is actually much easier
(just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing
a tarball on github which requires some interaction with the web service.



As an upstream, I would literally *never* GPG sign git tags. If you
ask me to do that, I won't. It's far too annoying to deal with for me
to be willing to suffer through that.

I'm not going to ask people to do something I would be unwilling to do myself.


What about only version tags? You could do some git/bash alias to create commit version + signed tag at once. For example, we do that on Qubes OS and that's not more work that just committing the version.

Best,
Frédéric

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux