Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)

[Mark H Weaver]

Hi Ludovic,

Ludovic Courtès  writes:

> Mark H Weaver  skribis:
>
>> Ludovic Courtès  writes:
>>> What would you think of releasing ‘stable-2.2’ as 2.2.5?
>>
>> I think it's a fine idea.
>
> Awesome.  We’ll have to update NEWS; I can give it a go, but if you
> could add bullet items for the things you’ve worked on, that’d be great.

Sure, I can take care of updating NEWS in the next day or two.

>>> It’s great if you can do it, Mark, but otherwise I can do it.
>>
>> Regrettably, Guile 2.2 has become too heavy to build on the only machine
>> in my possession that I have any trust in.  I don't have a machine that
>> I consider sufficiently trustworthy to produce build outputs for wider
>> distribution.  I'm not sure that any of us do.
>
> Note that “make dist” is rather inexpensive;

I assume it builds the prebuilt .go files, no?  That involves running
Guile's compiler, which is too heavy to run on my Yeeloong.

> “distcheck” is much more
> expensive though, but maybe avoidable for a minor release tarball.
>
>> To mitigate the risk that a compromised development machine could be
>> used to attack others, I propose that we adopt a practice of distributed
>> verification of release tarballs.  We would publish code that uses Guix
>> to produce the release tarball deterministically, and put out a call for
>> volunteers to generate the tarball and post signed declarations
>> containing the hash of the resulting tarball.  After we have received
>> several such declarations, we can sign and publish the official tarball.
>
> I don’t think this should block 2.2.5, but I think it’s an idea we
> should explore.

If you'd like to produce the 2.2.5 release in the traditional way,
that's fine with me.  I'm not comfortable doing it myself, though.

> One issue is that “make dist” is non-deterministic because the archive
> contains timestamps; I’m sure there of other sources of non-determinism
> though, because “make dist” was not designed with that in mind.

Right.  I suppose the right approach is to start a conversation with the
autotools developers.  In the meantime, I wonder if we could implement
our own deterministic version of "make dist" using Guix, and use that
instead.  Or perhaps it would be easier to use "make dist" and then
canonicalize the timestamps in the resulting tarball in a later step?

Thoughts?

> The non-source byproducts in release tarballs are: the pre-built .go
> files (which are optional), psyntax-pp.scm, and then Info files and all
> the autotools machinery.  Are these those you had in mind?

Yes, all of the above are potential security risks, except possibly for
the info files.

 Thanks!
   Mark

Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)

[Ludovic Courtès]

Hi Mark,

Mark H Weaver  skribis:

> Ludovic Courtès  writes:
>> What would you think of releasing ‘stable-2.2’ as 2.2.5?
>
> I think it's a fine idea.

Awesome.  We’ll have to update NEWS; I can give it a go, but if you
could add bullet items for the things you’ve worked on, that’d be great.

>> It’s great if you can do it, Mark, but otherwise I can do it.
>
> Regrettably, Guile 2.2 has become too heavy to build on the only machine
> in my possession that I have any trust in.  I don't have a machine that
> I consider sufficiently trustworthy to produce build outputs for wider
> distribution.  I'm not sure that any of us do.

Note that “make dist” is rather inexpensive; “distcheck” is much more
expensive though, but maybe avoidable for a minor release tarball.

> To mitigate the risk that a compromised development machine could be
> used to attack others, I propose that we adopt a practice of distributed
> verification of release tarballs.  We would publish code that uses Guix
> to produce the release tarball deterministically, and put out a call for
> volunteers to generate the tarball and post signed declarations
> containing the hash of the resulting tarball.  After we have received
> several such declarations, we can sign and publish the official tarball.

I don’t think this should block 2.2.5, but I think it’s an idea we
should explore.

One issue is that “make dist” is non-deterministic because the archive
contains timestamps; I’m sure there of other sources of non-determinism
though, because “make dist” was not designed with that in mind.

The non-source byproducts in release tarballs are: the pre-built .go
files (which are optional), psyntax-pp.scm, and then Info files and all
the autotools machinery.  Are these those you had in mind?

Thoughts?

Ludo’.

Re: Feedback for #21076

[Mark H Weaver]

Hi Isaac,

Isaac Jurado  writes:

> Apologies in advance if this is unorthodox.  I just wanted to ping the
> list because I sent a patch proposal to fix #21076.  Since it's almost
> 4 years old and I'm not sure if the bug tracking system notifies
> properly.
>
> https://bugs.gnu.org/21076

I did already see your recent comments on that old bug, but I haven't
yet found the time to properly investigate the issue.  Ideally, Andy
Wingo would chime in, since he has looked most closely at this issue in
the past.

  Thanks,
Mark

Feedback for #21076

[Isaac Jurado]

Hello all,

Apologies in advance if this is unorthodox.  I just wanted to ping the
list because I sent a patch proposal to fix #21076.  Since it's almost
4 years old and I'm not sure if the bug tracking system notifies
properly.

https://bugs.gnu.org/21076

Best regards.

-- 
Isaac Jurado

"The noblest pleasure is the joy of understanding"
Leonardo da Vinci

[PATCH] Fix texinfo->html for @i, @math, @tie and @dots

[Christopher Baines]

* module/texinfo/html.scm (tag-replacements): Add support for i and
math, the tags used come from the texinfo documentation.
(rules): Convert tie and dots to the appropriate HTML entities.
---
 module/texinfo/html.scm | 4 
 1 file changed, 4 insertions(+)

diff --git a/module/texinfo/html.scm b/module/texinfo/html.scm
index 6a07cffce..d505d7f12 100644
--- a/module/texinfo/html.scm
+++ b/module/texinfo/html.scm
@@ -203,9 +203,11 @@ name, @code{#}, and the node name."
 
 (asis span)
 (bold b)
+(ii)
 (sample   samp)
 (samp samp)
 (code code)
+(math em)
 (kbd  kbd)
 (key  code (@ (class "key")))
 (var  var)
@@ -241,6 +243,8 @@ name, @code{#}, and the node name."
   (cons tag body)))
 (copyright . ,(lambda args '(*ENTITY* "copy")))
 (result. ,(lambda args '(*ENTITY* "rArr")))
+(tie   . ,(lambda args '(*ENTITY* "nbsp")))
+(dots  . ,(lambda args '(*ENTITY* "hellip")))
 (xref . ,ref) (ref . ,ref) (pxref . ,ref)
 (uref . ,uref)
 (node . ,node) (anchor . ,node)
-- 
2.21.0

[PATCH] Fix texinfo->html for @i, @math, @tie and @dots

[Christopher Baines]

I spotted the following warnings when converting some texinfo to HTML
(for Guix package descriptions).

;;; WARNING (Don't know how to convert *braces* to HTML)
;;; WARNING (Don't know how to convert dots to HTML)
;;; WARNING (Don't know how to convert i to HTML)
;;; WARNING (Don't know how to convert math to HTML)
;;; WARNING (Don't know how to convert tie to HTML)

I'm not sure all the texinfo I was converting is well formed, but in all
but the last 4 cases look possible to fix, and this patch might work. I
wasn't able to get past running the ./configure script, so I haven't
managed to test the changes.

As for *braces*, I'm not quite sure what that relates to.

Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)

[Mark H Weaver]

Hi Ludovic,

Ludovic Courtès  writes:
> What would you think of releasing ‘stable-2.2’ as 2.2.5?

I think it's a fine idea.

> It’s great if you can do it, Mark, but otherwise I can do it.

Regrettably, Guile 2.2 has become too heavy to build on the only machine
in my possession that I have any trust in.  I don't have a machine that
I consider sufficiently trustworthy to produce build outputs for wider
distribution.  I'm not sure that any of us do.

To mitigate the risk that a compromised development machine could be
used to attack others, I propose that we adopt a practice of distributed
verification of release tarballs.  We would publish code that uses Guix
to produce the release tarball deterministically, and put out a call for
volunteers to generate the tarball and post signed declarations
containing the hash of the resulting tarball.  After we have received
several such declarations, we can sign and publish the official tarball.

What do you think?

  Mark