> On Apr 4, 2018, at 12:08 PM, Paolo Bonzini <pbonz...@redhat.com> wrote: > > On 04/04/2018 18:05, Programmingkid wrote: >> >>> On Apr 4, 2018, at 11:55 AM, Stefan Weil <s...@weilnetz.de> wrote: >>> >>> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé: >>>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote: >>>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote: >>>>>> The source/quality of those binaries is completely opaque. We've no idea >>>>>> who >>>>>> built them, nor what build options were used, nor what/where the >>>>>> corresponding >>>>>> source is (required for GPL compliance), nor any checksum / signature to >>>>>> validate the binary isn't compromised since build, etc, etc. >>>>>> >>>>>> Pointing users to those binaries makes it appear QEMU project is blessing >>>>>> them, and so any issues with them directly reflect on QEMU's reputation. >>>>>> >>>>>> If we're going to link to binaries telling users to download them, we >>>>>> need >>>>>> to be hosting them on qemu.org and have a clearly documented formal >>>>>> process >>>>>> around building & distributing them. >>>>>> >>>>>> Since both Homebrew & Macports are providing formal bulds though, it >>>>>> looks >>>>>> simpler to just entirely delegate the problem to them, as we do for Linux >>>>>> where we delegate to distro vendors to build & distribute binaries. >>>>> >>>>> Note that, to some extent, the same issues do apply to Win32 binaries >>>>> (in particular, they are distributed under http and there are no >>>>> signatures). However, the situation is better in that they are hosted >>>>> on an identifiable person's website, and of course Windows doesn't have >>>>> something akin to Homebrew and Macports so there is no alternative to >>>>> volunteers building and hosting the binaries. >>>> >>>> It would be desirable & practical to address that for Win32, by building >>>> the Win32 binaries at time of cutting the release, using the Mingw >>>> toolchain >>>> via one of our formal Docker environments. Would need buy-in of our release >>>> manager to accept the extra work for making releases though... >>>> >>>> Regards, >>>> Daniel >>> >>> That would be one possible way. A more automated way could use CI builds >>> (for example on GitHub) to generate executables for Windows. >>> >>> By the way: https://qemu.weilnetz.de provides https (maybe I should >>> enforce it), it includes sha512, and I also sign the binaries with my >>> key. You still have to trust me, Debian and Cygwin (which provides lots >>> of libraries used for the build). >>> >>> Regards, >>> Stefan >> >> I guess there is just too much distrust to provide a QEMU binary for >> download. > > It's not distrust, it's responsibility. > > Paolo
So from what I learned, in order to provide a binary of QEMU, these things must be done: - Some kind of checksum be provided for the binary (md5, SHA512, ...) - A zip file that has the exact code used to build the binary be provided - The complete environment use to build the binary be documented -- Operating system name and version -- name and version of various tools used to build the binary (GCC, make, ...) -- name and version of libraries that are linked to QEMU (libc, pixman, ...) - The exact command-line options used to build the binary be provided - The email address and identity of the person who made the binary be provided If anything is missing please feel free to share.