Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Jason A. Donenfeld wrote: On Mar 8, 2015 12:35 AM, "Todd Zullinger" wrote: But while we're on the subject, are there PGP signatures available for the cgit tarballs themselves? I include a sha256 of the tarball in the announcement emails. Those emails are pgp signed. My pgp key is embedded in the repo, as well, and it's verifiable that all announce emails have been signed with the same key. (It's a SHA1, isn't it? Not that I care terribly about that part, other than a general preference for SHA256. :) More importantly is that verifying the PGP signature from an archive is not always easy. More often than not, list archives introduce subtle whitespace damage or worse. The other point that John made is more interesting. If cgit generates a tarball on demand, aren't there opportunities for the hash in the announcement mail (or a detactch signature) to become invalid? I belive that git archive has made changes in the past to avoid including the timestamp in the gzip archive, which helps. I don't know if there are other ways this could change. In the end, I don't know if it's a problem that can be solved in a way that doesn't cause more work for you as a maintainer or the other fine folks who are contributing. That's certainly not my intention. ;) On Mar 9, 2015 9:49 PM, "John Keeping" wrote: It turns out that GMane mangles the list address in the message, Better archives: http://lists.zx2c4.com/pipermail/cgit/ I tried that earlier, before posting and found that it munges things too. Mailman's munging is often due to whitespace changes and are hard to avoid. Maybe the change to hyperkitty in Mailman 3 will improve this aspect of the archives. ;) -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Damn you and your estrogenical treachery! -- Stewie Griffin ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Oh, hah, my pipermail does the same. That's annoying. I'll change up the release announcement next time to avoid that. On Mar 9, 2015 11:32 PM, "Jason A. Donenfeld" wrote: > > On Mar 9, 2015 9:49 PM, "John Keeping" wrote: > > It turns out that GMane mangles the list address in the message, > > Better archives: > http://lists.zx2c4.com/pipermail/cgit/ > ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
On Mar 9, 2015 9:49 PM, "John Keeping" wrote: > It turns out that GMane mangles the list address in the message, Better archives: http://lists.zx2c4.com/pipermail/cgit/ ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
On Mar 8, 2015 12:35 AM, "Todd Zullinger" wrote: > But while we're on the subject, are there PGP signatures available for the cgit tarballs themselves? I include a sha256 of the tarball in the announcement emails. Those emails are pgp signed. My pgp key is embedded in the repo, as well, and it's verifiable that all announce emails have been signed with the same key. ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote: > Those on the list can check the PGP signature on the announcement mail > and then use the included SHA1 to check the tarball, but doing that as > a non-list member isn't as easy due to many list archives stripping or > mangling PGP signatures. I tried doing this with the 0.11 > announcement from the Mailman and Gmane archives now and wasn't > successful. It turns out that GMane mangles the list address in the message, so it is possible to validate it but it's not straightforward: curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw | sed -e 's/cgit[^ ]*@public.gmane.org/cgit@lists.zx2c4.com/' | gpg --verify > Posting a detached PGP signature for the tarball would improve the > ability for users to trust and verify the cgit tarball. It's not a > blocker for your patch, but it would make it significantly more > useful, so I thought I would broach the subject. ;) It seems that Jason currently relies on CGit to generate the tarballs by pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a signature isn't guaranteed to remain correct (Git has subtly changed the tar encoding in the past and could do so again). There's a recent thread on the Git mailing list about a way to handle this better[0], but there isn't any code yet AFAIK. [0] http://thread.gmane.org/gmane.comp.version-control.git/264533 ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
John Keeping wrote: On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote: But while we're on the subject, are there PGP signatures available for the cgit tarballs themselves? I know the git tags are signed, but I don't think I've seen detached signatures for the tarballs. In this case, how does a user become "happy that the CGit distribution they have is trustworthy"? The cgit tarball download isn't available via https either, which might be a reasonable answer in the absence of a detached git signature. Without a signature on the tarball or some other method to verify the cgit tarball, the sha256 of the git tarball included in the cgit Makefile is more or less only useful as a basic download integrity check (in which case sha256 is mild overkill). None of this is to say that this patch isn't a step in the right direction. It certainly helps to display a nicer error message if a user receives a corrupted git tarball. It's just important that users don't confuse this with providing any real authentication of the git tarball. I'm not sure this is true. Providing that the CGit tarball is trusted, then I think this does provide sufficient authentication of the Git tarball. If the CGit tarball isn't trusted, then all bets are off anyway. Agreed. The caveat is that I'm not sure there is a convenient method for end-users or packagers to verify the authenticity of a cgit tarball. Those on the list can check the PGP signature on the announcement mail and then use the included SHA1 to check the tarball, but doing that as a non-list member isn't as easy due to many list archives stripping or mangling PGP signatures. I tried doing this with the 0.11 announcement from the Mailman and Gmane archives now and wasn't successful. Posting a detached PGP signature for the tarball would improve the ability for users to trust and verify the cgit tarball. It's not a blocker for your patch, but it would make it significantly more useful, so I thought I would broach the subject. ;) Thank you for all of your work on cgit. It's very nice to see it continue to improve, with even the smallest details getting attention. -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Now don't say you can't swear off drinking; it's easy. I've done it a thousand times. -- W.C. Fields ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [PATCH 00/13] Fixes for problems detected by Sparse
Great idea. Merged. Thanks John. ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
