Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200: > On 26/01/12 18:20, David Jaša wrote: > > Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500: > >> +1 for the need. > >> I think we should give md5 or similar hashes, > > > > There is already file with md5 hashes in the repo but it has no meaning > > wrt attack prevention because it is not accessible via https, let alone > > HTTP Strict Transport Security so it can be mangled by attacker together > > with packages themselves. > > > Setting up https access is probably the way to go. > We can sign the hash file as well, but that's just for binaries. > > >> and let distro's do the signing. > >> > > > > Distros take care of it during their package build process, no need to > > worry about that. But if we offer packages on our site, they should be > > also signed. > > > Actually, I just got the diff between our views; > Indeed when you distribute binaries, I agree you should sign it. > The thing is, I do not think we should distribute binaries. Fedora > should distribute ovirt RPM's, and other distro's should do the same > using their own packaging mechanisms. For example, Gentoo will look > for the sources tarball, and during the installation will d/l it, > compile and deploy according to the relevant (signed) ebuild. > > This is why fundamental projects will give you such links: > http://www.x.org/releases/X11R7.6/src/ > http://www.kernel.org/pub/linux/kernel/v3.x/ > http://kde.mirrorcatalogs.com/stable/4.8.0/ > > You may also see rel-notes, change-log and doc's, but no binaries. > > I'm aware of the fact many projects (postgres and others) provide > binaries as well, but my view is that this is the distro's task > to package & sign the binaries, and the project's task to provide > a stable release tarball of sources. >
I think we agree more than it seems. IMO we should provide binaries of just development versions of oVirt for widely-used stable distributions which do not have better ways to create custom repos (like OpenSuse Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a good candidate, too. David > > David > > -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Board mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/board
