Rutherther <[email protected]> writes: > Hi Simon, > > Simon Josefsson <[email protected]> writes: > >> Would you consider adding SHA3-256 checksums to announcements too? > > Sure, that is no problem, especially if a script is already made for > this, I wasn't aware of it.
What script was used to prepare your release announcement? Maybe Guix warrants its own custom script rather than gnulib's announce-gen, but some inspiration from a recent announcement may be useful: https://lists.gnu.org/archive/html/bug-inetutils/2025-12/msg00017.html The actual wording isn't the important part, and some of this are opinonated but the important part are: 1) Direct URLs 2) SHA256 and SHA3-256 checksums. Format to use is somewhat opinionated, but the information is the important aspect. 3) Some explanation what the URLs and files actually are, like you already have, including commands for verification. 4) How to get signing keys. 5) SBOM info, maybe just Guix commit id? >> Rutherther <[email protected]> writes: >> >>> Installation script: https://guix.gnu.org/guix-install.sh >> ... >>> All of these files have are signed at <link>.sig. They are all signed by >>> Rutherther, you can get his public key from [1], then import it using >>> “gpg --import”. >> ... >>> • SHA256 hashes >> >> The guix-install.sh script does not seem to have a *.sig file, nor is it >> included in the SHA256 hash list. > > That is true. That is because the script tracks master of the Guix > repository and we cannot be sure no one will change it in the following > days. So we cannot include it in the SHA256 hash list as it is not > 'part' of the release by itself. It having different hash afterwards is > not a bug and it would be confusing to users if it was included in the > list and changed. Generally the install script is improved even after > the release, while parts of it are tied to the tarball, large part of it > isn't. For example the /etc/profile.d/zzz-guix.sh lives in the script > and might be changed. This is then used to improve it even throughout > the time when there isn't any release. > >> Since this script is often ran by >> root, I think it should have some security protection beyond WebPKI >> https URL assurance. Maybe already tracked in some bug report? Still, >> would be great to see improved for 1.5.0. > > I do not know of such an issue, feel free to create it. This would > require serious rethinking on how to manage this script, though. Because > automatic updates would no longer be possible. Yeah, I realize that maybe that particular URL should stay synchronized with git HEAD, since that seems like the tradition, so maybe it is simpler to include a stable snapshot in your 'rc' releases? Like https://files.ditigal.xyz/guix-release-1.5.0rc1-mirror/guix-install-1.5.0rc1.sh https://files.ditigal.xyz/guix-release-1.5.0rc1-mirror/guix-install-1.5.0rc1.sh.sig And include checksums? Then we don't have to resolve signatures on the rolling script, and people (like me) who care about verifying guix-install.sh authenticity is catered to. /Simon
signature.asc
Description: PGP signature
