Re: Congratulations! Missing 3.0.0 tag?
Randall S. Becker wrote in <015301d7a5be$22589940$6709cbc0$@nexbridge.com>: .. |cture" would have to reconstruct the Merkel Tree, which, even in SHA-1 \ Now you digress. But i had nothing to say from the start.. Good night! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
RE: Congratulations! Missing 3.0.0 tag?
On September 9, 2021 4:34 PM, Steffen Nurpmeso wrote: >Randall S. Becker wrote in > <014c01d7a5b7$a0a7d1f0$e1f775d0$@nexbridge.com>: > ... > >You are right in everything that you say. > > |Strictly speaking, the signature on a tag is considered immutable and \ > |transitively applies the signature to the commit (it does not >really, \ |but the effect is the same). The signature on a tag becomes >invalid \ > >The tag namespace is separate though. Not that it matters in practice. Just >saying. > > |if the underlying commit, or parents of that commit in git's Merkel \ |Tree > changes, so it is quite a strong signature. AFIAK, adding a >signature \ |to the commit itself does not really improve the strength of the >signing \ |(much), unless one implements a multi-signature >structure - like the \ |commit and signatures on three tags on the same >commit. You have then \ |implemented a three-signature >authority, which basically is a Blockchain\ |-style authority (not quite - I >used "-style"), providing that you \ |do trust the signers. I think >the word for that is "over-kill" , \ |but maybe not in the case of OpenSSL. > >Well. The thing is, to me, that commits happen much more often than tags. >Tags are in a different namespace also. "Sealing the >branches" with a signed commit at times helps in case of trouble, even for a >distributed version control system like git, with its "hardened >SHA-1" checksums. So of course all the core developers and a lot of other >people have full repo clones and shall someone break in some >infrastructure and mess around the OpenSSL team could simply talk and exchange >hashes, and reinstantiate the master proper. For >people having local clones that came in via git:// protocol even a signed >commit here and there would really be nice. (For my tiny things i >offer only https?, and "seal" all stable/ and release/ branches as well as >master, only the development branches have no signature.) The git signature structure is based on GPG signatures for one, not SHA-1. The tag namespace does not matter here. The signature becomes invalid if the combined tree of the commit the tag references changes. If the commit is replaced, the signature becomes invalid regardless of who does it. You can replace a signed commit with another signed commit but you would need to have the public side of the GPG key to validate it. A tag would not point to the new commit without breaking the signature. No one could replace Richard's signature, for example, except for Richard on the openssl-3.0.0 tag. The "breaking the infrastructure" would have to reconstruct the Merkel Tree, which, even in SHA-1 has a one in a billion chance of working, but that is unlikely to result in useful source code. So there is a certain amount of trust of the signatures of the committers - they should probably publish their public keys so we can do the validation. It might be helpful if GitHub moved to SHA-256 repositories, though.
Re: Congratulations! Missing 3.0.0 tag?
Randall S. Becker wrote in <014c01d7a5b7$a0a7d1f0$e1f775d0$@nexbridge.com>: ... You are right in everything that you say. |Strictly speaking, the signature on a tag is considered immutable and \ |transitively applies the signature to the commit (it does not really, \ |but the effect is the same). The signature on a tag becomes invalid \ The tag namespace is separate though. Not that it matters in practice. Just saying. |if the underlying commit, or parents of that commit in git's Merkel \ |Tree changes, so it is quite a strong signature. AFIAK, adding a signature \ |to the commit itself does not really improve the strength of the signing \ |(much), unless one implements a multi-signature structure - like the \ |commit and signatures on three tags on the same commit. You have then \ |implemented a three-signature authority, which basically is a Blockchain\ |-style authority (not quite - I used "-style"), providing that you \ |do trust the signers. I think the word for that is "over-kill" , \ |but maybe not in the case of OpenSSL. Well. The thing is, to me, that commits happen much more often than tags. Tags are in a different namespace also. "Sealing the branches" with a signed commit at times helps in case of trouble, even for a distributed version control system like git, with its "hardened SHA-1" checksums. So of course all the core developers and a lot of other people have full repo clones and shall someone break in some infrastructure and mess around the OpenSSL team could simply talk and exchange hashes, and reinstantiate the master proper. For people having local clones that came in via git:// protocol even a signed commit here and there would really be nice. (For my tiny things i offer only https?, and "seal" all stable/ and release/ branches as well as master, only the development branches have no signature.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
RE: Congratulations! Missing 3.0.0 tag?
On September 9, 2021 3:26 PM, Steffen Nurpmeso wrote: >To: Randall S. Becker >Cc: 'Benjamin Kaduk' ; openssl-users@openssl.org >Subject: Re: Congratulations! Missing 3.0.0 tag? > >Randall S. Becker wrote in > <012201d7a590$56df08d0$049d1a70$@nexbridge.com>: > |On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote: > |>Benjamin Kaduk wrote in > |> <20210908233639.gy19...@akamai.com>: > |>|On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: > ... > |>|I think (off the top of my head, i.e., without consulting a reference) \ > |>| |that `git log` (which your aliases end up at) will only >|display |>|signatures on commits, but will not show the tag objects >themselves. > |>|`git show` does display the tag object, and for openssl only the \ |>|tag > |object is what is signed; the commits themselves are not >|signed. > |> > |>I see. That is a logical one, thanks for the explanation. > ... > |$ git tag --verify openssl-3.0.0 > >Yes yes, ok! But like i said, wouldn't it be nice if at least release commits >would be signed also, a.k.a./or when a new branch is created? >In Linux for example the merge commits to the master branch are signed, in >addition to the tags of the actual releases. >It may even be a deja vu and i may have clamoured in the past. Strictly speaking, the signature on a tag is considered immutable and transitively applies the signature to the commit (it does not really, but the effect is the same). The signature on a tag becomes invalid if the underlying commit, or parents of that commit in git's Merkel Tree changes, so it is quite a strong signature. AFIAK, adding a signature to the commit itself does not really improve the strength of the signing (much), unless one implements a multi-signature structure - like the commit and signatures on three tags on the same commit. You have then implemented a three-signature authority, which basically is a Blockchain-style authority (not quite - I used "-style"), providing that you do trust the signers. I think the word for that is "over-kill" , but maybe not in the case of OpenSSL. -Randall
Re: Congratulations! Missing 3.0.0 tag?
Randall S. Becker wrote in <012201d7a590$56df08d0$049d1a70$@nexbridge.com>: |On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote: |>Benjamin Kaduk wrote in |> <20210908233639.gy19...@akamai.com>: |>|On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: ... |>|I think (off the top of my head, i.e., without consulting a reference) \ |>| |that `git log` (which your aliases end up at) will only |display |>|signatures on commits, but will not show the tag objects themselves. |>|`git show` does display the tag object, and for openssl only the \ |>|tag |object is what is signed; the commits themselves are not |signed. |> |>I see. That is a logical one, thanks for the explanation. ... |$ git tag --verify openssl-3.0.0 Yes yes, ok! But like i said, wouldn't it be nice if at least release commits would be signed also, a.k.a./or when a new branch is created? In Linux for example the merge commits to the master branch are signed, in addition to the tags of the actual releases. It may even be a deja vu and i may have clamoured in the past. ... |Although I do not have Richard's public key on the system where I ran \ |the command and GitHub is not showing the verification status |of the tag. I do not know much about github. In fact i did not even know that the Linux release commits are _not_ signed, because if i look (what do _i_ know from the kernel?) then i only look at master, and there you see signed commits. And since my url= is https i do not actually verify tags. (In fact it is automated and simply diff(1)s in the difference to the version stated in the Makefile in /usr/src/linux/.) But true, the last merge before Linux 5.14 was signed, but the creation of the linux-5.14.y branch not. Ach, forget about the noise, i hope next time i finally have my head turned on before i post :) Thank you. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
RE: Congratulations! Missing 3.0.0 tag?
On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote: >Benjamin Kaduk wrote in > <20210908233639.gy19...@akamai.com>: > |On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: > |> But if i use > |> > |> #?0|kent:tls-openssl.git$ alias gl1 > |> alias gl1='git slpn -1' > |> #?0|kent:tls-openssl.git$ git alias|grep slpn > |> alias.slpn log --show-signature --patch --find-renames --stat --no-abbr\ > |> ev-commit > |> #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 > |> commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl\ > |> -3.0.0) > |> ... > |> > |> i do not. Hm, maybe i need to relearn git again, looking around |> i see > a couple of projects for which this is true (Linux, |> >wireguard-tools), for others it is not (my own project, nghttp2). > | > |I think (off the top of my head, i.e., without consulting a reference) > |that `git log` (which your aliases end up at) will only display >|signatures on commits, but will not show the tag objects themselves. > |`git show` does display the tag object, and for openssl only the tag > |object is what is signed; the commits themselves are not signed. > >I see. That is a logical one, thanks for the explanation. >Sometimes one (Me! That is.) really would have to drop all entrenched habits, >aliases and scripts and do anything anew. For example i >now have learned that "push" also can be signed! (And yes, i do use commit -S >and tag -s for release tags for .. many >years.) > > |-Ben > --End of <20210908233639.gy19...@akamai.com> > >--steffen $ git tag --verify openssl-3.0.0 object 89cd17a031e022211684eb7eb41190cf1910f9fa type commit tag openssl-3.0.0 tagger Richard Levitte 1631015200 +0200 OpenSSL 3.0.0 release tag gpg: Signature made Tue Sep 7 07:46:40 2021 EDT gpg:using DSA key A7AF9E78F709453B gpg: Can't check signature: public key not found Although I do not have Richard's public key on the system where I ran the command and GitHub is not showing the verification status of the tag. -Randall
RE: Congratulations! Missing 3.0.0 tag?
When git cloning, please remember that you might have to perform a git fetch --tags to pick up all tags from the upstream repository. After that, perform a git checkout openssl-3.0.0, which will give you a disconnected HEAD, but will refer to the correct release. You can always make your own branch to point there. Do not use the openssl-3.0 branch for building 3.0.0 – it already points to a new commit in the preparation for the subsequent release. Randall S. Becker, ITUGLIB Process Designer, Repository Manager, Occasional Porting Dude +1.416.984.9826 From: openssl-users On Behalf Of William Roberts Sent: September 8, 2021 5:39 PM To: openssl-users@openssl.org Subject: Re: Congratulations! Missing 3.0.0 tag? It's there: https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 I checked it out this morning. On Wed, Sep 8, 2021, 16:32 Steffen Nurpmeso mailto:stef...@sdaoden.eu> > wrote: Yeah? :) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Congratulations! Missing 3.0.0 tag?
Benjamin Kaduk wrote in <20210908233639.gy19...@akamai.com>: |On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: |> But if i use |> |> #?0|kent:tls-openssl.git$ alias gl1 |> alias gl1='git slpn -1' |> #?0|kent:tls-openssl.git$ git alias|grep slpn |> alias.slpn log --show-signature --patch --find-renames --stat --no-abbr\ |> ev-commit |> #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 |> commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl\ |> -3.0.0) |> ... |> |> i do not. Hm, maybe i need to relearn git again, looking around |> i see a couple of projects for which this is true (Linux, |> wireguard-tools), for others it is not (my own project, nghttp2). | |I think (off the top of my head, i.e., without consulting a reference) |that `git log` (which your aliases end up at) will only display |signatures on commits, but will not show the tag objects themselves. |`git show` does display the tag object, and for openssl only the tag |object is what is signed; the commits themselves are not signed. I see. That is a logical one, thanks for the explanation. Sometimes one (Me! That is.) really would have to drop all entrenched habits, aliases and scripts and do anything anew. For example i now have learned that "push" also can be signed! (And yes, i do use commit -S and tag -s for release tags for .. many years.) |-Ben --End of <20210908233639.gy19...@akamai.com> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Congratulations! Missing 3.0.0 tag?
On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: > But if i use > > #?0|kent:tls-openssl.git$ alias gl1 > alias gl1='git slpn -1' > #?0|kent:tls-openssl.git$ git alias|grep slpn > alias.slpn log --show-signature --patch --find-renames --stat > --no-abbrev-commit > #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 > commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: > refs/tags/openssl-3.0.0) > ... > > i do not. Hm, maybe i need to relearn git again, looking around > i see a couple of projects for which this is true (Linux, > wireguard-tools), for others it is not (my own project, nghttp2). > Eg "alias.slo log --show-signature --oneline --graph": I think (off the top of my head, i.e., without consulting a reference) that `git log` (which your aliases end up at) will only display signatures on commits, but will not show the tag objects themselves. `git show` does display the tag object, and for openssl only the tag object is what is signed; the commits themselves are not signed. -Ben
Re: Congratulations! Missing 3.0.0 tag?
With the change to (almost) semantic versioning, we also decided to make the tags easier to type. Pauli On 9/9/21 9:03 am, Steffen Nurpmeso wrote: Benjamin Kaduk wrote in <2021090848.gx19...@akamai.com>: |On Thu, Sep 09, 2021 at 12:15:44AM +0200, Steffen Nurpmeso wrote: |> |> P.S.: maybe at least release commits and tags could be signed? |> And/or HTTPS access to the repository ... but then i get the gut |> feeling that the answer to this will be "use github" or something. | |tag openssl-3.0.0 |Tagger: Richard Levitte |Date: Tue Sep 7 13:46:40 2021 +0200 | |OpenSSL 3.0.0 release tag |-BEGIN PGP SIGNATURE- | |iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF |O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== |=pGf9 |-END PGP SIGNATURE- | |looks signed to me. That is really interesting now. If i use "git show openssl-3.0.0" i see this myself. tag openssl-3.0.0 Tagger: Richard Levitte TaggerDate: 2021-09-07 13:46:40 +0200 OpenSSL 3.0.0 release tag -BEGIN PGP SIGNATURE- iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== =pGf9 -END PGP SIGNATURE- commit 89cd17a031 (tag: refs/tags/openssl-3.0.0) ... But if i use #?0|kent:tls-openssl.git$ alias gl1 alias gl1='git slpn -1' #?0|kent:tls-openssl.git$ git alias|grep slpn alias.slpn log --show-signature --patch --find-renames --stat --no-abbrev-commit #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl-3.0.0) ... i do not. Hm, maybe i need to relearn git again, looking around i see a couple of projects for which this is true (Linux, wireguard-tools), for others it is not (my own project, nghttp2). Eg "alias.slo log --show-signature --oneline --graph": #?141|kent:nail.git$ git slo -1 master Reading passphrase from file descriptor 4 * 69be61071c (...) gpg: Signature made Wed 01 Sep 2021 01:19:46 PM CEST | gpg:using RSA key DF082F6AEEC8C2FF | gpg: Good signature from "Steffen Nurpmeso " | gpg: WARNING: This key is not certified with a trusted signature! | gpg: There is no indication that the signature belongs to the owner. | Primary key fingerprint: EE19 E1C1 F2F7 054F 8D39 54D8 3089 64B5 1883 A0DD | Subkey fingerprint: 8A2A 4D60 9FDC 539C 75F5 5B95 DF08 2F6A EEC8 C2FF | Clear an installed alarm(2) in fork(2)ed childs (Stephen Isard) #?0|kent:nghttp2.git$ git slo -1 fcc20334da Reading passphrase from file descriptor 4 * fcc20334da gpg: Signature made Sat 04 Sep 2021 10:26:47 AM CEST |\ gpg:using RSA key 4AEE18F83AFDEB23 | | gpg: Can't check signature: public key not found | | Merge pull request #1613 from mkauf/check_pseudo_header_chars #?0|kent:wireguard-tools.git$ git slo -1 v1.0.20210424 * ecb1ea29d7 (tag: refs/tags/v1.0.20210424) version: bump #?128|kent:linux.git$ git slo -1 v5.10.62 * f6dd002450 (tag: refs/tags/v5.10.62, refs/remotes/origin/linux-5.10.y) Linux 5.10.62 Ooops, i am totally off again. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Congratulations! Missing 3.0.0 tag?
Benjamin Kaduk wrote in <2021090848.gx19...@akamai.com>: |On Thu, Sep 09, 2021 at 12:15:44AM +0200, Steffen Nurpmeso wrote: |> |> P.S.: maybe at least release commits and tags could be signed? |> And/or HTTPS access to the repository ... but then i get the gut |> feeling that the answer to this will be "use github" or something. | |tag openssl-3.0.0 |Tagger: Richard Levitte |Date: Tue Sep 7 13:46:40 2021 +0200 | |OpenSSL 3.0.0 release tag |-BEGIN PGP SIGNATURE- | |iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF |O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== |=pGf9 |-END PGP SIGNATURE- | |looks signed to me. That is really interesting now. If i use "git show openssl-3.0.0" i see this myself. tag openssl-3.0.0 Tagger: Richard Levitte TaggerDate: 2021-09-07 13:46:40 +0200 OpenSSL 3.0.0 release tag -BEGIN PGP SIGNATURE- iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== =pGf9 -END PGP SIGNATURE- commit 89cd17a031 (tag: refs/tags/openssl-3.0.0) ... But if i use #?0|kent:tls-openssl.git$ alias gl1 alias gl1='git slpn -1' #?0|kent:tls-openssl.git$ git alias|grep slpn alias.slpn log --show-signature --patch --find-renames --stat --no-abbrev-commit #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl-3.0.0) ... i do not. Hm, maybe i need to relearn git again, looking around i see a couple of projects for which this is true (Linux, wireguard-tools), for others it is not (my own project, nghttp2). Eg "alias.slo log --show-signature --oneline --graph": #?141|kent:nail.git$ git slo -1 master Reading passphrase from file descriptor 4 * 69be61071c (...) gpg: Signature made Wed 01 Sep 2021 01:19:46 PM CEST | gpg:using RSA key DF082F6AEEC8C2FF | gpg: Good signature from "Steffen Nurpmeso " | gpg: WARNING: This key is not certified with a trusted signature! | gpg: There is no indication that the signature belongs to the owner. | Primary key fingerprint: EE19 E1C1 F2F7 054F 8D39 54D8 3089 64B5 1883 A0DD | Subkey fingerprint: 8A2A 4D60 9FDC 539C 75F5 5B95 DF08 2F6A EEC8 C2FF | Clear an installed alarm(2) in fork(2)ed childs (Stephen Isard) #?0|kent:nghttp2.git$ git slo -1 fcc20334da Reading passphrase from file descriptor 4 * fcc20334da gpg: Signature made Sat 04 Sep 2021 10:26:47 AM CEST |\ gpg:using RSA key 4AEE18F83AFDEB23 | | gpg: Can't check signature: public key not found | | Merge pull request #1613 from mkauf/check_pseudo_header_chars #?0|kent:wireguard-tools.git$ git slo -1 v1.0.20210424 * ecb1ea29d7 (tag: refs/tags/v1.0.20210424) version: bump #?128|kent:linux.git$ git slo -1 v5.10.62 * f6dd002450 (tag: refs/tags/v5.10.62, refs/remotes/origin/linux-5.10.y) Linux 5.10.62 Ooops, i am totally off again. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Congratulations! Missing 3.0.0 tag?
On Thu, Sep 09, 2021 at 12:15:44AM +0200, Steffen Nurpmeso wrote: > > P.S.: maybe at least release commits and tags could be signed? > And/or HTTPS access to the repository ... but then i get the gut > feeling that the answer to this will be "use github" or something. tag openssl-3.0.0 Tagger: Richard Levitte Date: Tue Sep 7 13:46:40 2021 +0200 OpenSSL 3.0.0 release tag -BEGIN PGP SIGNATURE- iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== =pGf9 -END PGP SIGNATURE- looks signed to me. -Ben
Re: Congratulations! Missing 3.0.0 tag?
On Wed, Sep 8, 2021 at 5:15 PM Steffen Nurpmeso wrote: > > Hello. > > William Roberts wrote in > : > |It's there: > |https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 > | > |I checked it out this morning. > > Oh! I have > > fetch = +refs/heads/master:refs/remotes/origin/master > fetch = > +refs/heads/OpenSSL_1_0_2-stable:refs/remotes/origin/OpenSSL_1_0_2-stable > fetch = > +refs/heads/OpenSSL_1_0_1-stable:refs/remotes/origin/OpenSSL_1_0_1-stable > fetch = > +refs/heads/OpenSSL_1_1_0-stable:refs/remotes/origin/OpenSSL_1_1_0-stable > fetch = > +refs/heads/OpenSSL_1_1_1-stable:refs/remotes/origin/OpenSSL_1_1_1-stable > > and only saw refs/tags/openssl-3.0.0-alpha* and -beta*! > I see now via ls-remote there is a new openssl-3.0 branch.. > > From git://git.openssl.org/openssl >* [new branch]openssl-3.0 -> origin/openssl-3.0 >* [new tag] openssl-3.0.0 -> openssl-3.0.0 > > Yes, there it is, thank you! > > P.S.: maybe at least release commits and tags could be signed? > And/or HTTPS access to the repository ... but then i get the gut > feeling that the answer to this will be "use github" or something. > You could grab the release tarballs which have signatures https://www.openssl.org/source/
Re: Congratulations! Missing 3.0.0 tag?
Hello. William Roberts wrote in : |It's there: |https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 | |I checked it out this morning. Oh! I have fetch = +refs/heads/master:refs/remotes/origin/master fetch = +refs/heads/OpenSSL_1_0_2-stable:refs/remotes/origin/OpenSSL_1_0_2-stable fetch = +refs/heads/OpenSSL_1_0_1-stable:refs/remotes/origin/OpenSSL_1_0_1-stable fetch = +refs/heads/OpenSSL_1_1_0-stable:refs/remotes/origin/OpenSSL_1_1_0-stable fetch = +refs/heads/OpenSSL_1_1_1-stable:refs/remotes/origin/OpenSSL_1_1_1-stable and only saw refs/tags/openssl-3.0.0-alpha* and -beta*! I see now via ls-remote there is a new openssl-3.0 branch.. From git://git.openssl.org/openssl * [new branch]openssl-3.0 -> origin/openssl-3.0 * [new tag] openssl-3.0.0 -> openssl-3.0.0 Yes, there it is, thank you! P.S.: maybe at least release commits and tags could be signed? And/or HTTPS access to the repository ... but then i get the gut feeling that the answer to this will be "use github" or something. Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Congratulations! Missing 3.0.0 tag?
It's there: https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 I checked it out this morning. On Wed, Sep 8, 2021, 16:32 Steffen Nurpmeso wrote: > Yeah? > :) > > --steffen > | > |Der Kragenbaer,The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >
Congratulations! Missing 3.0.0 tag?
Yeah? :) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)