Re: [arch-dev-public] Finalizing the package signing process
Le 30 octobre 2011 14:12:20 Pierre Schmitz a écrit : Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre +1 Some TUs never used their real name here, so it will be a good oportunity to discover who they are really :P Stéphane
[arch-dev-public] Finalizing the package signing process
Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 14:12, schrieb Pierre Schmitz: To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. +1 We may give the TU a ew days mroe time as this will be new to them. -1 - they had more than enough time. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On Sunday 30 October 2011 14:12:20 Pierre Schmitz wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 to enforce signed packages. This has been discussed for months and creating a key takes only a few seconds. -t signature.asc Description: This is a digitally signed message part.
Re: [arch-dev-public] Finalizing the package signing process
Il 30/10/2011 14:12, Pierre Schmitz ha scritto: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 2:31 PM, Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 14:12, Pierre Schmitz ha scritto: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it +1 Ronald
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 02:12:20PM +0100, Pierre Schmitz wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com +1.
Re: [arch-dev-public] Finalizing the package signing process
On 30.10.2011 14:12, Pierre Schmitz wrote: If you just agree with all this send a +1. +1 PS: we should get a voting system -- Florian Pritz signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On 30 October 2011 14:14, Thomas Bächler tho...@archlinux.org wrote: Am 30.10.2011 14:12, schrieb Pierre Schmitz: To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. +1 We may give the TU a ew days mroe time as this will be new to them. -1 - they had more than enough time. I agree with Thomas, +1 about dbscripts. -1 about more time to the TUs. -- Andrea
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 14:12, schrieb Pierre Schmitz: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre +1 -- Tobias Powalowski Archlinux Developer Package Maintainer (tpowa) http://www.archlinux.org tp...@archlinux.org signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 14:12:20 +0100 Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? Otherwise I would say +1, but for now -1. Daniel
Re: [arch-dev-public] Finalizing the package signing process
Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 19:04:51 +0100 Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. Downloading them locally isn't really a solution. Too low bandwidth and most of the time I don't build the packages from home. If dbscripts get updated without pkgbuild.com supports signing, then I can't build packages.
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 14:12:20 +0100 Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre sure why not.
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 19:13, schrieb Daniel Isenmann: On Sun, 30 Oct 2011 19:04:51 +0100 Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. You can also use commitpkg (as in extrapkg, testingpkg etc.) to sign the file if you put the package into your build tree. Downloading them locally isn't really a solution. Too low bandwidth and most of the time I don't build the packages from home. If dbscripts get updated without pkgbuild.com supports signing, then I can't build packages. I am sorry, but I have no solution for this atm. And who knows how long it takes until gpg is able to do key forwarding and remote signing. So I don't feel we should wait for that. And honestly: the build server with that much people having root access is quite a problem anyway. Also if you don't even download (and install) some your own packages, maybe a better solution would be to find someone else to maintain them. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:05 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: As it seems that there is no real solution here, I will try to do it like Florian and Giovanni said it. Downloading the package, sign it locally and upload the signature to pkguild again. Nevertheless we should find a solution to build signed packages on pkgbuild, otherwise we will loose our buildserver here, because I see this as a workaround and not as a solution. I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Just my two cents. Cheers, Tom
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 21:32:25 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:05 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: As it seems that there is no real solution here, I will try to do it like Florian and Giovanni said it. Downloading the package, sign it locally and upload the signature to pkguild again. Nevertheless we should find a solution to build signed packages on pkgbuild, otherwise we will loose our buildserver here, because I see this as a workaround and not as a solution. I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Just my two cents. Cheers, Tom
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 21:58:35 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). Sure. I will do that. But mainly I build the packages not at home and that's my main problem. But I will try the method with your small script, thanks for that. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd Thanks for that... Daniel
Re: [arch-dev-public] Finalizing the package signing process
[2011-10-30 14:12:20 +0100] Pierre Schmitz: If you just agree with all this send a +1. I agree with all this. -- Gaetan
Re: [arch-dev-public] Finalizing the package signing process
On 30 October 2011 22:47, Daniel Isenmann daniel.isenm...@gmx.de wrote: On Sun, 30 Oct 2011 21:58:35 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). Sure. I will do that. But mainly I build the packages not at home and that's my main problem. But I will try the method with your small script, thanks for that. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd Thanks for that... Daniel Just in case it can help, I also made a script [0] that updates the svn tree from alderaan to a local tree and rsync the remote packages to a local folder. I then just need to install, test and if OK I can extrapkg 'blahblahblah' from my local machine. It also works with community packages. (Don't forget the configuration file [1] if you want to test) [0] https://raw.github.com/galaux/scripts/master/duppkgbuild/duppkgbuild [1] https://raw.github.com/galaux/scripts/master/duppkgbuild/duppkgbuild.conf -- Guillaume
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:12 AM, Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 Eric Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-dev-public] Finalizing the package signing process
On 31 October 2011 01:56, Daniel Isenmann daniel.isenm...@gmx.de wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? Otherwise I would say +1, but for now -1. Ditto. I normally only download and test packages that I use and/or are important/popular, other updates are merely minor version bumps, and sometimes I am bandwidth-constrained to download anything more than a few megs. But I hope I'm right that most of my packages are lean, in which case downloading the packages and uploading only the sigs then won't be much of a problem. And anyway, there was a time when there was no pkgbuild.com and I had to build packages locally and on slow networks, so I think I can manage. In general, +1. -- GPG/PGP ID: 8AADBB10