On Tue, Jul 31, 2018 at 07:42:41PM +0200, Tim Düsterhus wrote: > Am 30.07.2018 um 20:55 schrieb Willy Tarreau: > > I know and I've already thought about it. But I personally refuse to store > > my PGP key on any exposed machine. Right now in order to tag, I have to > > SSH into an isolated machine, run "git pull --tags", create-release, and > > "git push --tags". Then I upload the release. > > In addition to what Vincent and Bertrand suggest I'd like to note that a > dedicated "haproxy Release Signing Key", even if stored on an exposed > machine, would be strictly better than just checksums, which could be > modified by anyone with access to the haproxy.org server.
That's where I disagree, it's exactly the same argument causing TLS to appear on every web site even when not necessary, making people believe they are safe while they are not. Right now you don't have this PGP signature so you are careful about what you retrieve. And that's the reason why you're talking about it by the way, because verifying all this is painful on your side. But if I start to claim "look, no need to double-check anymore, trust me, it's safe", you won't run this extra safety check once in a while. But the process involved in placing this signature may not be safer than the one involved in the checksum. With this said, I'll take a look at Bertrand's proposal, which I think does satisfy my needs. > Also I know nothing about the release process, but: Is the machine > signing the tags not used to upload the release Tarballs to haproxy.org? It depends who does it. Speaking for myself, since my PGP key is not on the machine, I release using create-release (changelog+commit+signed tag) on the machine where I have the PGP key, then I push to the public repo, then I connect to the haproxy.org machine to publish the release from the latest tag using the publish-release utility you recently patched, and perform a few extra actions there to automatically update the home page and the known bugs page. Then I run announce-release from any machine, which prepares a horrible automated text that will serve as a basis for the announce. > I think it's strange that the parts of the release process are > distributed onto several machines (one to create the tag, one to create > the Tarball). No it's not uncommon at all, especially with git since signed tags can be done anywhere, especially at places where you don't want to upload large tarballs when you in fact only need to upload a tag. Imagine if I had had to upload full linux kernels when doing stable releases, it would have taken many hours just to upload the tarballs! Cheers, Willy
