Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
On 16/3/21 11:31 pm, Thilo Borgmann wrote: Am 10.03.21 um 18:19 schrieb Thilo Borgmann: Am 10.03.21 um 09:25 schrieb Zane van Iperen: Before you do, just give it a crack locally. I couldn't get the cloned version of the site to look identical to what's already published (something to do with incorrect CSS symlinks iirc). It's probably fine, but for something like this I'd rather err on the side of caution. I know this problem and I'm happily ignoring it - because the style thingys are living happily on the server and look like intended. So I don't expect any problems. If so, its the website being a bit more ugly for maybe some short time... Not doing it today anyway, so you can still test on if you feel the desire to get a 1:1 website locally. Pushed. I don't see any bad thing on ffmpeg.org, please check. Look all good to me. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
Am 10.03.21 um 18:19 schrieb Thilo Borgmann: > Am 10.03.21 um 09:25 schrieb Zane van Iperen: >> Before you do, just give it a crack locally. >> >> I couldn't get the cloned version of the site to look identical to what's >> already published (something to do with incorrect CSS symlinks iirc). It's >> probably fine, but for something like this I'd rather err on the side of >> caution. > > I know this problem and I'm happily ignoring it - because the style thingys > are living happily on the server and look like intended. > > So I don't expect any problems. If so, its the website being a bit more ugly > for maybe some short time... > Not doing it today anyway, so you can still test on if you feel the desire to > get a 1:1 website locally. Pushed. I don't see any bad thing on ffmpeg.org, please check. -Thilo ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
Am 10.03.21 um 09:25 schrieb Zane van Iperen: > Before you do, just give it a crack locally. > > I couldn't get the cloned version of the site to look identical to what's > already published (something to do with incorrect CSS symlinks iirc). It's > probably fine, but for something like this I'd rather err on the side of > caution. I know this problem and I'm happily ignoring it - because the style thingys are living happily on the server and look like intended. So I don't expect any problems. If so, its the website being a bit more ugly for maybe some short time... Not doing it today anyway, so you can still test on if you feel the desire to get a 1:1 website locally. -Thilo > > On 8/3/21 11:24 pm, Thilo Borgmann wrote: >> Am 24.02.21 um 17:53 schrieb Thilo Borgmann: >>> Am 24.02.21 um 05:06 schrieb Zane van Iperen: As per discussion at [1]. Patches attached. Patch 1/3 adds /node_modules/ to .gitignore Patch 2/3 adds the actual key and verification instructions Patch 3/3 adds a prominent download link for the public key. This might be bit obnoxious, but it was suggested in the original discussion. [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html >>> >>> As in [1] above I like that idea. However, I can't really comment on the >>> technical side of keys and signatures. So proper someones opinion with >>> actual knowledge would be appreciated. >> >> If there are no complains, I'll push that soon (tm). >> >> -Thilo >> ___ >> ffmpeg-devel mailing list >> ffmpeg-devel@ffmpeg.org >> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> >> To unsubscribe, visit link above, or email >> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". >> > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
Before you do, just give it a crack locally. I couldn't get the cloned version of the site to look identical to what's already published (something to do with incorrect CSS symlinks iirc). It's probably fine, but for something like this I'd rather err on the side of caution. Zane On 8/3/21 11:24 pm, Thilo Borgmann wrote: Am 24.02.21 um 17:53 schrieb Thilo Borgmann: Am 24.02.21 um 05:06 schrieb Zane van Iperen: As per discussion at [1]. Patches attached. Patch 1/3 adds /node_modules/ to .gitignore Patch 2/3 adds the actual key and verification instructions Patch 3/3 adds a prominent download link for the public key. This might be bit obnoxious, but it was suggested in the original discussion. [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html As in [1] above I like that idea. However, I can't really comment on the technical side of keys and signatures. So proper someones opinion with actual knowledge would be appreciated. If there are no complains, I'll push that soon (tm). -Thilo ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
Am 24.02.21 um 17:53 schrieb Thilo Borgmann: > Am 24.02.21 um 05:06 schrieb Zane van Iperen: >> As per discussion at [1]. Patches attached. >> >> Patch 1/3 adds /node_modules/ to .gitignore >> >> Patch 2/3 adds the actual key and verification instructions >> >> Patch 3/3 adds a prominent download link for the public key. >> This might be bit obnoxious, but it was suggested in the original discussion. >> >> [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html > > As in [1] above I like that idea. However, I can't really comment on the > technical side of keys and signatures. So proper someones opinion with actual > knowledge would be appreciated. If there are no complains, I'll push that soon (tm). -Thilo ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
Am 24.02.21 um 05:06 schrieb Zane van Iperen: > As per discussion at [1]. Patches attached. > > Patch 1/3 adds /node_modules/ to .gitignore > > Patch 2/3 adds the actual key and verification instructions > > Patch 3/3 adds a prominent download link for the public key. > This might be bit obnoxious, but it was suggested in the original discussion. > > [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html As in [1] above I like that idea. However, I can't really comment on the technical side of keys and signatures. So proper someones opinion with actual knowledge would be appreciated. Thanks! -Thilo ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [FFmpeg-web][PATCH] web/download: add signing key and verification instructions
As per discussion at [1]. Patches attached. Patch 1/3 adds /node_modules/ to .gitignore Patch 2/3 adds the actual key and verification instructions Patch 3/3 adds a prominent download link for the public key. This might be bit obnoxious, but it was suggested in the original discussion. [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html >From 85401bda30c00bbf02807baed5557c2b81dfa578 Mon Sep 17 00:00:00 2001 From: Zane van Iperen Date: Wed, 24 Feb 2021 12:38:20 +1000 Subject: [PATCH 1/3] gitignore: add /node_modules/ Signed-off-by: Zane van Iperen --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index b215828..60a2b0a 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /htdocs/components /htdocs/style.less /htdocs/fonts/*.woff2 +/node_modules/ -- 2.29.2 >From 6bdae11e7d1f6af67c5d1120a83f461e24621502 Mon Sep 17 00:00:00 2001 From: Zane van Iperen Date: Wed, 24 Feb 2021 12:33:08 +1000 Subject: [PATCH 2/3] web/download: add signing key and verification instructions As per discussion at https://ffmpeg.org/pipermail/ffmpeg-devel/2021-February/276752.html Signed-off-by: Zane van Iperen --- htdocs/ffmpeg-devel.asc | 30 ++ src/download| 34 ++ 2 files changed, 64 insertions(+) create mode 100644 htdocs/ffmpeg-devel.asc diff --git a/htdocs/ffmpeg-devel.asc b/htdocs/ffmpeg-devel.asc new file mode 100644 index 000..3a4d521 --- /dev/null +++ b/htdocs/ffmpeg-devel.asc @@ -0,0 +1,30 @@ +-BEGIN PGP PUBLIC KEY BLOCK- + +mQENBE22rV0BCAC3DzRmA2XlhrqYv9HKoEvNHHf+PzosmCTHmYhWHDqvBxPkSvCl +ipkbvJ4pBnVvcX6mW5QyKhspHm5j1X5ibe9Bt9/chS/obnIobmvF8shSUgjQ0qRW +9c1aWOjvT26SxYQ1y9TmYCFwixeydGFHYKjAim+evGUccni5KMlfPoT3VTPtim78 +ufkr3E9Nco/Mobn/8APO0NmLEGWAM6ln/8J/c9h6a1QKnQyBqWfT0YnAaebafFaZ +YwOtRdDG54VbJ4xwcHbCj5cKhTABk/QtBzDvnW4bG+uSpqdHbFZEY2JpURDuj/T3 +NudKQGzn0bYNpY1XY2l0pqs/btKHnBW0fVMjABEBAAG0NEZGbXBlZyByZWxlYXNl +IHNpZ25pbmcga2V5IDxmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZz6JATgEEwECACIF +Ak22rV0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELQyLwTWdljYKxUH +/1fqzl7SKie2g4t4PJbqUbkLuMsC+CP6gp0dcVZOHkuUYAoD3PM3iVxpLBVyKIXI +g7wMSTAtlIcYnzhWIpnoCBes6/O2Mrq6xHgGeTp6CDcm3LmmSYR1f5KdD8KUaA+l +c/M/1fEnwrSs/UGDk6R6iUmbqwxPsbozlOvmUHOLbDZBnKrk9XfAJdUhAuFACrSA +T+KF1jniz0OfNGd23SaHWRCphoRW9pXDc5FfkdaueBUvBvGv19ZNcDhcxT3/u6z2 +DaUFC0rLWqk8obo951jVvi/zOhB94Pw6u1SLvcTq3V1q5URWJtgSbpih9VRqxUbQ +NbXduKGzbHz6Vwpkupz4JRe5AQ0ETbatXQEIANjYrygJi/fn1nlSg5Mz0l9KHDm4 +yfWtaOrXUjJcyiGe4G0XXJLGh45qxJ0DOKzi9id+9W4jby+kKuzG9O6Vn0iDeODO +aOGnz4ua7Vu6d0AbYfNXZPWge/GCodo/ZD/qri1tPkLmRtT/sniahwy6LruPNHfF +SRoNIjwbcD/IL+EbY1pL1/IFSzEAA1ZZamgmHgB7o9pwDIkK6HuvHMR/Y5MsoMfV +fWV3ZGtA6v9z51CvnHsHPsADRSnUp7aYtR412SiAO4XodMLTA92L3LxgYhI4ma7D +XZ8jgKg4JkKO+DXmoU63HtRdq/HZjeXJKk1JGJF3zCvP3DyIzZ8LWIjN8t0AEQEA +AYkBHwQYAQIACQUCTbatXQIbDAAKCRC0Mi8E1nZY2LS8B/0bMoUAl4X9D0WQbL4l +U0czCIOKOsvbHpIxivjCnOQxU23+PV5WZdoCCpSuAHGv+2OHzhNrij++P9BNTJeQ +skxdS9FH4MZwy1IRSPrxegSxbCUpBI1rd0Zf7qb9BNPrHPTueWFV1uExOSB2Apsv +WrKo2D8mR0uZAPYfYl2ToFVoa5PR7/+ii9WiJr/flF6qm7hoLpI5Bm4VcZh2GPsJ +9Vo/8x/qOGwtdWHqBykYloKsrwD4U69rjn+d9feLoPBRgoVroXWQttt0sUnyoudz ++x8ETJgPoNK3kQoDagApj4qAt83Ayac3HzNIuEJ7LdvfINIOprujnJ9vH4n04XLg +I4EZ +=Rjbw +-END PGP PUBLIC KEY BLOCK- diff --git a/src/download b/src/download index 3f0e4d2..b82f446 100644 --- a/src/download +++ b/src/download @@ -249,6 +249,40 @@ + + +Release Verification + + +All FFmpeg releases are cryptographically signed with +our public PGP key and should be verified for +authenticity. + + pub rsa2048 2011-04-26 [SC] +FCF986EA15E6E293A5644F10B4322F04D67658D8 +uid [ full ] FFmpeg release signing key ffmpeg-devel@ffmpeg.org +sub rsa2048 2011-04-26 [E] + + +To verify a release: + + Import our public key into your local keyring: +$ curl https://ffmpeg.org/ffmpeg-devel.asc | gpg --import + + +Download a release tarball and its corresponding signature. + + +Verify the signature: +$ gpg --verify ffmpeg-4.3.2.tar.xz.asc ffmpeg-4.3.2.tar.xz +gpg: Signature made Sun 21 Feb 2021 06:35:15 AEST +gpg:using RSA key FCF986EA15E6E293A5644F10B4322F04D67658D8 +gpg:issuer "ffmpeg-devel@ffmpeg.org" +gpg: Good signature from "FFmpeg release signing key ffmpeg-devel@ffmpeg.org" [full] + + + + Releases -- 2.29.2 >From 1f6f170dd3a59b3e1bccd14c8c1b42e41448aaf1 Mon Sep 17 00:00:00 2001 From: Zane van Iperen Date: Wed, 24 Feb 2021 13:45:42 +1000 Subject: [PATCH 3/3] web/download: add prominent signing key download link Signed-off-by: Zane van Iperen --- src/download | 5 + 1 file changed, 5 insertions(+) diff --git a/src/download b/src/download index b82f446..a6483a6 100644 --- a/src/download +++ b/src/download @@ -5,6 +5,11 @@ Download Source Code ffmpeg-snapshot.tar.bz2 + + +