Re: 12.2R Sigs
> [src's] included on the > installation medium for reproducibility Wherever the src.tgz, they should not be considered to be unbreakable reproducible bitwise duplicate authentic or traceable back to any repo since there is no provable cryptographic chain back to same, only assertions over the breaking points, which can and do fail in various ways. Distributed cloneable distributable repo's based on crypto are needed to do that, perhaps such as Monotone, or at least sign Git's init hash. https://monotone.ca/ https://git-scm.com/ > announce.asc file is only created for the final RELEASE build Yes as those are nice milestones :) ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: 12.2R Sigs
On Thu, Sep 17, 2020 at 09:09:26PM -0400, grarpamp wrote: > >> > And there is the PGP-signed email to stable@ that contains > >> > them. > >> > >> Future noting that lists do not support foreknown path schemes > >> for that data. Whereas repo, website and dataset locations are more > >> predictable and programmatic... allowing fetching, validation, etc. > > > > And for RC builds, they are predictable and programmatic. > > Users would have to get and search the entire lists content to > find such sig posts, unfortunately no there are no nice predicted > paths to such single emails supporting simple fetch of associated > sig infos, ie: no schema :///13.x/.asc > > Mail are not, it can't... ie: it has no hier, path, file globbing regex *, > etc. > > The website and distribution methods mentioned earlier are > possible. (Now just for RC and RELEASE, as clarified in thread.) > > Website has them in nice paths today, > > individually... > https://www.freebsd.org/releases/12.1R/signatures.html > > and in bulk... > https://www.freebsd.org/releases/12.1R/announce.asc > > but they are not present in what should be their natural > cohabitation set within the other distribution methods, > such as the case of https / ftp / rsync / torrent / etc for... > https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/ > > > I am not on postmaster. > > What that mean in context? > Only some volunteer for that role, as any other, > it's ok not to be in two or more of them. Sorry, something you said was misinterpreted by me, and I was answering something that I thought you had asked, but had not. So it is a bit difficult for me to explain what I meant with this part of my reply. In any case, after the doc tree is tagged (which is included on the installation medium for reproducibility), RC1 and subsequent RCs and the final RELEASE build will be programmatically fetchable. The announce.asc file is only created for the final RELEASE build, however. Glen signature.asc Description: PGP signature
Re: 12.2R Sigs
>> > And there is the PGP-signed email to stable@ that contains >> > them. >> >> Future noting that lists do not support foreknown path schemes >> for that data. Whereas repo, website and dataset locations are more >> predictable and programmatic... allowing fetching, validation, etc. > > And for RC builds, they are predictable and programmatic. Users would have to get and search the entire lists content to find such sig posts, unfortunately no there are no nice predicted paths to such single emails supporting simple fetch of associated sig infos, ie: no schema :///13.x/.asc Mail are not, it can't... ie: it has no hier, path, file globbing regex *, etc. The website and distribution methods mentioned earlier are possible. (Now just for RC and RELEASE, as clarified in thread.) Website has them in nice paths today, individually... https://www.freebsd.org/releases/12.1R/signatures.html and in bulk... https://www.freebsd.org/releases/12.1R/announce.asc but they are not present in what should be their natural cohabitation set within the other distribution methods, such as the case of https / ftp / rsync / torrent / etc for... https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/ > I am not on postmaster. What that mean in context? Only some volunteer for that role, as any other, it's ok not to be in two or more of them. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: 12.2R Sigs
On Thu, Sep 17, 2020 at 08:03:54PM -0400, grarpamp wrote: > > They will be added with the first RC build > > Yes RC* seems the latest point in timeline > to begin excercise them. > > > a bug in the order of operations > > > And there is the PGP-signed email to stable@ that contains > > them. > > Future noting that lists do not support foreknown path schemes > for that data. Whereas repo, website and dataset locations are more > predictable and programmatic... allowing fetching, validation, etc. > And for RC builds, they are predictable and programmatic. > There could be a commit subsequent to tags, to hold all > relavant collected metadata results, created sigs, etc of > those tagged builds. I am not on postmaster. Glen signature.asc Description: PGP signature
Re: 12.2R Sigs
> They will be added with the first RC build Yes RC* seems the latest point in timeline to begin excercise them. > a bug in the order of operations > And there is the PGP-signed email to stable@ that contains > them. Future noting that lists do not support foreknown path schemes for that data. Whereas repo, website and dataset locations are more predictable and programmatic... allowing fetching, validation, etc. There could be a commit subsequent to tags, to hold all relavant collected metadata results, created sigs, etc of those tagged builds. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: 12.2R Sigs
On Thu, Sep 17, 2020 at 03:41:22PM -0400, grarpamp wrote: > https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R/signatures.xml > > Is it plan that 12.x 13.x etc continue with > provision of sig files for BETA and RC? > If so, process can be added to releng todo docs, > and the sig asc files pushed out to website, > and to download areas (https, ftp, rsync, torrent, etc) > alongside with the image datasets themselves. > If not, the docs can make note of the labels > to which sigs apply. > They will be added with the first RC build, after the doc tree is tagged for the final release. Since moving the release notes and other related documentation from base to doc, this introduced a bug in the order of operations I have not yet figured out how to solve the right way. In other words, adding the signed BETA* checksums to the doc tree for the 12.1-BETA* builds, turned out to be an error. (Also note, the signed checksums were not available for previous release BETA builds. And there is the PGP-signed email to stable@ that contains them.) Glen signature.asc Description: PGP signature