On 30/01/12 16:13, David Jaša wrote: > Doron Fediuck píše v Ne 29. 01. 2012 v 14:21 +0200: >> On 26/01/12 18:20, David Jaša wrote: >>> Doron Fediuck píše v Čt 26. 01. 2012 v 11:01 -0500: >>>> +1 for the need. >>>> I think we should give md5 or similar hashes, >>> >>> There is already file with md5 hashes in the repo but it has no meaning >>> wrt attack prevention because it is not accessible via https, let alone >>> HTTP Strict Transport Security so it can be mangled by attacker together >>> with packages themselves. >>> >> Setting up https access is probably the way to go. >> We can sign the hash file as well, but that's just for binaries. >> >>>> and let distro's do the signing. >>>> >>> >>> Distros take care of it during their package build process, no need to >>> worry about that. But if we offer packages on our site, they should be >>> also signed. >>> >> Actually, I just got the diff between our views; >> Indeed when you distribute binaries, I agree you should sign it. >> The thing is, I do not think we should distribute binaries. Fedora >> should distribute ovirt RPM's, and other distro's should do the same >> using their own packaging mechanisms. For example, Gentoo will look >> for the sources tarball, and during the installation will d/l it, >> compile and deploy according to the relevant (signed) ebuild. >> >> This is why fundamental projects will give you such links: >> http://www.x.org/releases/X11R7.6/src/ >> http://www.kernel.org/pub/linux/kernel/v3.x/ >> http://kde.mirrorcatalogs.com/stable/4.8.0/ >> >> You may also see rel-notes, change-log and doc's, but no binaries. >> >> I'm aware of the fact many projects (postgres and others) provide >> binaries as well, but my view is that this is the distro's task >> to package & sign the binaries, and the project's task to provide >> a stable release tarball of sources. >> > > I think we agree more than it seems. IMO we should provide binaries of > just development versions of oVirt for widely-used stable distributions > which do not have better ways to create custom repos (like OpenSuse > Build Service or Ubuntu PPA) - we do this for Fedora, Debian would be a > good candidate, too. > > David > That's good, but it looks like we put the carriage in front of the horses; I mean that we work hard to produce RPM's (RC available), while there's no simple https access to fetch tarballs with md5 (or whatever hash) file.
May we please add https://www.ovirt.org/project/downloads/ ? It should include something like this: | \ -nightly (bleeding edge tarballs) | \ -latest-stable (current rc, and release when ready) -- /d "Email returned to sender -- insufficient voltage." _______________________________________________ Board mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/board
