Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Hi Ludovic, Ludovic Courtès writes: > Mark H Weaver skribis: > >> Ludovic Courtès writes: >>> What would you think of releasing ‘stable-2.2’ as 2.2.5? >> >> I think it's a fine idea. > > Awesome. We’ll have to update NEWS; I can give it a go, but if you > could add bullet items for the things you’ve worked on, that’d be great. Sure, I can take care of updating NEWS in the next day or two. >>> It’s great if you can do it, Mark, but otherwise I can do it. >> >> Regrettably, Guile 2.2 has become too heavy to build on the only machine >> in my possession that I have any trust in. I don't have a machine that >> I consider sufficiently trustworthy to produce build outputs for wider >> distribution. I'm not sure that any of us do. > > Note that “make dist” is rather inexpensive; I assume it builds the prebuilt .go files, no? That involves running Guile's compiler, which is too heavy to run on my Yeeloong. > “distcheck” is much more > expensive though, but maybe avoidable for a minor release tarball. > >> To mitigate the risk that a compromised development machine could be >> used to attack others, I propose that we adopt a practice of distributed >> verification of release tarballs. We would publish code that uses Guix >> to produce the release tarball deterministically, and put out a call for >> volunteers to generate the tarball and post signed declarations >> containing the hash of the resulting tarball. After we have received >> several such declarations, we can sign and publish the official tarball. > > I don’t think this should block 2.2.5, but I think it’s an idea we > should explore. If you'd like to produce the 2.2.5 release in the traditional way, that's fine with me. I'm not comfortable doing it myself, though. > One issue is that “make dist” is non-deterministic because the archive > contains timestamps; I’m sure there of other sources of non-determinism > though, because “make dist” was not designed with that in mind. Right. I suppose the right approach is to start a conversation with the autotools developers. In the meantime, I wonder if we could implement our own deterministic version of "make dist" using Guix, and use that instead. Or perhaps it would be easier to use "make dist" and then canonicalize the timestamps in the resulting tarball in a later step? Thoughts? > The non-source byproducts in release tarballs are: the pre-built .go > files (which are optional), psyntax-pp.scm, and then Info files and all > the autotools machinery. Are these those you had in mind? Yes, all of the above are potential security risks, except possibly for the info files. Thanks! Mark
Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Hi Mark, Mark H Weaver skribis: > Ludovic Courtès writes: >> What would you think of releasing ‘stable-2.2’ as 2.2.5? > > I think it's a fine idea. Awesome. We’ll have to update NEWS; I can give it a go, but if you could add bullet items for the things you’ve worked on, that’d be great. >> It’s great if you can do it, Mark, but otherwise I can do it. > > Regrettably, Guile 2.2 has become too heavy to build on the only machine > in my possession that I have any trust in. I don't have a machine that > I consider sufficiently trustworthy to produce build outputs for wider > distribution. I'm not sure that any of us do. Note that “make dist” is rather inexpensive; “distcheck” is much more expensive though, but maybe avoidable for a minor release tarball. > To mitigate the risk that a compromised development machine could be > used to attack others, I propose that we adopt a practice of distributed > verification of release tarballs. We would publish code that uses Guix > to produce the release tarball deterministically, and put out a call for > volunteers to generate the tarball and post signed declarations > containing the hash of the resulting tarball. After we have received > several such declarations, we can sign and publish the official tarball. I don’t think this should block 2.2.5, but I think it’s an idea we should explore. One issue is that “make dist” is non-deterministic because the archive contains timestamps; I’m sure there of other sources of non-determinism though, because “make dist” was not designed with that in mind. The non-source byproducts in release tarballs are: the pre-built .go files (which are optional), psyntax-pp.scm, and then Info files and all the autotools machinery. Are these those you had in mind? Thoughts? Ludo’.
Re: Feedback for #21076
Hi Isaac, Isaac Jurado writes: > Apologies in advance if this is unorthodox. I just wanted to ping the > list because I sent a patch proposal to fix #21076. Since it's almost > 4 years old and I'm not sure if the bug tracking system notifies > properly. > > https://bugs.gnu.org/21076 I did already see your recent comments on that old bug, but I haven't yet found the time to properly investigate the issue. Ideally, Andy Wingo would chime in, since he has looked most closely at this issue in the past. Thanks, Mark
Feedback for #21076
Hello all, Apologies in advance if this is unorthodox. I just wanted to ping the list because I sent a patch proposal to fix #21076. Since it's almost 4 years old and I'm not sure if the bug tracking system notifies properly. https://bugs.gnu.org/21076 Best regards. -- Isaac Jurado "The noblest pleasure is the joy of understanding" Leonardo da Vinci
[PATCH] Fix texinfo->html for @i, @math, @tie and @dots
* module/texinfo/html.scm (tag-replacements): Add support for i and math, the tags used come from the texinfo documentation. (rules): Convert tie and dots to the appropriate HTML entities. --- module/texinfo/html.scm | 4 1 file changed, 4 insertions(+) diff --git a/module/texinfo/html.scm b/module/texinfo/html.scm index 6a07cffce..d505d7f12 100644 --- a/module/texinfo/html.scm +++ b/module/texinfo/html.scm @@ -203,9 +203,11 @@ name, @code{#}, and the node name." (asis span) (bold b) +(ii) (sample samp) (samp samp) (code code) +(math em) (kbd kbd) (key code (@ (class "key"))) (var var) @@ -241,6 +243,8 @@ name, @code{#}, and the node name." (cons tag body))) (copyright . ,(lambda args '(*ENTITY* "copy"))) (result. ,(lambda args '(*ENTITY* "rArr"))) +(tie . ,(lambda args '(*ENTITY* "nbsp"))) +(dots . ,(lambda args '(*ENTITY* "hellip"))) (xref . ,ref) (ref . ,ref) (pxref . ,ref) (uref . ,uref) (node . ,node) (anchor . ,node) -- 2.21.0
[PATCH] Fix texinfo->html for @i, @math, @tie and @dots
I spotted the following warnings when converting some texinfo to HTML (for Guix package descriptions). ;;; WARNING (Don't know how to convert *braces* to HTML) ;;; WARNING (Don't know how to convert dots to HTML) ;;; WARNING (Don't know how to convert i to HTML) ;;; WARNING (Don't know how to convert math to HTML) ;;; WARNING (Don't know how to convert tie to HTML) I'm not sure all the texinfo I was converting is well formed, but in all but the last 4 cases look possible to fix, and this patch might work. I wasn't able to get past running the ./configure script, so I haven't managed to test the changes. As for *braces*, I'm not quite sure what that relates to.
Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Hi Ludovic, Ludovic Courtès writes: > What would you think of releasing ‘stable-2.2’ as 2.2.5? I think it's a fine idea. > It’s great if you can do it, Mark, but otherwise I can do it. Regrettably, Guile 2.2 has become too heavy to build on the only machine in my possession that I have any trust in. I don't have a machine that I consider sufficiently trustworthy to produce build outputs for wider distribution. I'm not sure that any of us do. To mitigate the risk that a compromised development machine could be used to attack others, I propose that we adopt a practice of distributed verification of release tarballs. We would publish code that uses Guix to produce the release tarball deterministically, and put out a call for volunteers to generate the tarball and post signed declarations containing the hash of the resulting tarball. After we have received several such declarations, we can sign and publish the official tarball. What do you think? Mark