Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread Todd Zullinger

Jason A. Donenfeld wrote:

On Mar 8, 2015 12:35 AM, "Todd Zullinger"  wrote:
But while we're on the subject, are there PGP signatures available 
for the cgit tarballs themselves?


I include a sha256 of the tarball in the announcement emails. Those 
emails are pgp signed. My pgp key is embedded in the repo, as well, 
and it's verifiable that all announce emails have been signed with 
the same key.


(It's a SHA1, isn't it?  Not that I care terribly about that part, 
other than a general preference for SHA256. :)


More importantly is that verifying the PGP signature from an archive 
is not always easy.  More often than not, list archives introduce 
subtle whitespace damage or worse.


The other point that John made is more interesting.  If cgit generates 
a tarball on demand, aren't there opportunities for the hash in the 
announcement mail (or a detactch signature) to become invalid?  I 
belive that git archive has made changes in the past to avoid 
including the timestamp in the gzip archive, which helps.  I don't 
know if there are other ways this could change.


In the end, I don't know if it's a problem that can be solved in a way 
that doesn't cause more work for you as a maintainer or the other fine 
folks who are contributing.  That's certainly not my intention.  ;)



On Mar 9, 2015 9:49 PM, "John Keeping"  wrote:

It turns out that GMane mangles the list address in the message,


Better archives:
http://lists.zx2c4.com/pipermail/cgit/


I tried that earlier, before posting and found that it munges things 
too.  Mailman's munging is often due to whitespace changes and are 
hard to avoid.  Maybe the change to hyperkitty in Mailman 3 will 
improve this aspect of the archives.  ;)


--
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Damn you and your estrogenical treachery!
   -- Stewie Griffin

___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread Jason A. Donenfeld
Oh, hah, my pipermail does the same. That's annoying. I'll change up the
release announcement next time to avoid that.
On Mar 9, 2015 11:32 PM, "Jason A. Donenfeld"  wrote:

>
> On Mar 9, 2015 9:49 PM, "John Keeping"  wrote:
> > It turns out that GMane mangles the list address in the message,
>
> Better archives:
> http://lists.zx2c4.com/pipermail/cgit/
>
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread Jason A. Donenfeld
On Mar 9, 2015 9:49 PM, "John Keeping"  wrote:
> It turns out that GMane mangles the list address in the message,

Better archives:
http://lists.zx2c4.com/pipermail/cgit/
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread Jason A. Donenfeld
On Mar 8, 2015 12:35 AM, "Todd Zullinger"  wrote:
> But while we're on the subject, are there PGP signatures available for
the cgit tarballs themselves?

I include a sha256 of the tarball in the announcement emails. Those emails
are pgp signed. My pgp key is embedded in the repo, as well, and it's
verifiable that all announce emails have been signed with the same key.
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread John Keeping
On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
> Those on the list can check the PGP signature on the announcement mail 
> and then use the included SHA1 to check the tarball, but doing that as 
> a non-list member isn't as easy due to many list archives stripping or 
> mangling PGP signatures.  I tried doing this with the 0.11 
> announcement from the Mailman and Gmane archives now and wasn't 
> successful.

It turns out that GMane mangles the list address in the message, so it
is possible to validate it but it's not straightforward:

curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw |
sed -e 's/cgit[^ ]*@public.gmane.org/cgit@lists.zx2c4.com/' |
gpg --verify

> Posting a detached PGP signature for the tarball would improve the 
> ability for users to trust and verify the cgit tarball.  It's not a 
> blocker for your patch, but it would make it significantly more 
> useful, so I thought I would broach the subject. ;)

It seems that Jason currently relies on CGit to generate the tarballs by
pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a
signature isn't guaranteed to remain correct (Git has subtly changed the
tar encoding in the past and could do so again).

There's a recent thread on the Git mailing list about a way to handle
this better[0], but there isn't any code yet AFAIK.

[0] http://thread.gmane.org/gmane.comp.version-control.git/264533
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

2015-03-09 Thread Todd Zullinger

John Keeping wrote:

On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
But while we're on the subject, are there PGP signatures available for 
the cgit tarballs themselves?  I know the git tags are signed, but I 
don't think I've seen detached signatures for the tarballs.  In this 
case, how does a user become "happy that the CGit distribution they 
have is trustworthy"?  The cgit tarball download isn't available via 
https either, which might be a reasonable answer in the absence of a 
detached git signature.


Without a signature on the tarball or some other method to verify the 
cgit tarball, the sha256 of the git tarball included in the cgit 
Makefile is more or less only useful as a basic download integrity 
check (in which case sha256 is mild overkill).


None of this is to say that this patch isn't a step in the right 
direction.  It certainly helps to display a nicer error message if a 
user receives a corrupted git tarball.  It's just important that users 
don't confuse this with providing any real authentication of the git 
tarball.


I'm not sure this is true.  Providing that the CGit tarball is trusted, 
then I think this does provide sufficient authentication of the Git 
tarball.  If the CGit tarball isn't trusted, then all bets are off 
anyway.


Agreed.  The caveat is that I'm not sure there is a convenient method 
for end-users or packagers to verify the authenticity of a cgit 
tarball.


Those on the list can check the PGP signature on the announcement mail 
and then use the included SHA1 to check the tarball, but doing that as 
a non-list member isn't as easy due to many list archives stripping or 
mangling PGP signatures.  I tried doing this with the 0.11 
announcement from the Mailman and Gmane archives now and wasn't 
successful.


Posting a detached PGP signature for the tarball would improve the 
ability for users to trust and verify the cgit tarball.  It's not a 
blocker for your patch, but it would make it significantly more 
useful, so I thought I would broach the subject. ;)


Thank you for all of your work on cgit.  It's very nice to see it 
continue to improve, with even the smallest details getting attention.


--
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Now don't say you can't swear off drinking; it's easy. I've done it a
thousand times.
   -- W.C. Fields

___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit


Re: [PATCH 00/13] Fixes for problems detected by Sparse

2015-03-09 Thread Jason A. Donenfeld
Great idea. Merged. Thanks John.
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit