'Re: Should we stop distributing source tarballs?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Ben Cooksley <bcooksley () kde ! org>
Date:       2024-04-04 11:07:42
Message-ID: CA+XidOFGv4-r2PAo50gHJOH59W+q9tVwa1z89Jx=zEYpdqJ_oA () mail ! gmail ! com
[Download RAW message or body]

On Thu, Apr 4, 2024 at 10:48 PM Sune Vuorela <nospam@vuorela.dk> wrote:

> On 2024-04-03, Albert Vaca Cintora <albertvaka@gmail.com> wrote:
> > What's the advantage of providing tarballs?
>
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
> tarball is an easy way of doing it. Different git invocations for git
> archive, different tar options and so on can create different checksums
> for the same content.
>

For those wondering, for all content served by download.kde.org and
files.kde.org, you can fetch a sha256 hash of the file in question by just
appending ".sha256" to the URL in question.
See
https://download.kde.org/stable/release-service/24.02.1/src/okular-24.02.1.tar.xz.sha256
for instance.

These won't show up in the file listings, and are not files that are
provided to mirrors - they are provided by our mirror management system
(MIrrorbits) directly.

As an additional aside - we don't currently GPG sign our Git tags, so there
is nothing validating that the person who made the release is actually the
person whose name is on it.
With GPG signatures we can at least validate who owns the key.


>
> I do also think it is nice if we get someone else to verify that the
> tarball we ship actually matches the tag. I think some people in
> distributions have already started looking into verifying that.
>

Hopefully they'll be gentle with tooling that does this?


>
> Also, git tags can be moved.
>
> /Sune
>
>
Cheers,
Ben

[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr">On Thu, Apr 4, 2024 at 10:48 PM Sune Vuorela &lt;<a \
href="mailto:nospam@vuorela.dk">nospam@vuorela.dk</a>&gt; wrote:<br></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2024-04-03, Albert \
Vaca Cintora &lt;<a href="mailto:albertvaka@gmail.com" \
target="_blank">albertvaka@gmail.com</a>&gt; wrote:<br> &gt; What&#39;s the advantage \
of providing tarballs?<br> <br>
I do think there is an advantage in being able to verify that the soure<br>
tarball is the same across distributions. Using a checksum on the<br>
tarball is an easy way of doing it. Different git invocations for git<br>
archive, different tar options and so on can create different checksums<br>
for the same content.<br></blockquote><div><br></div><div>For those wondering, for \
all content served by <a href="http://download.kde.org">download.kde.org</a> and <a \
href="http://files.kde.org">files.kde.org</a>, you can fetch a sha256 hash of the \
file in question by just appending &quot;.sha256&quot; to the URL in \
question.</div><div>See  <a \
href="https://download.kde.org/stable/release-service/24.02.1/src/okular-24.02.1.tar.x \
z.sha256">https://download.kde.org/stable/release-service/24.02.1/src/okular-24.02.1.tar.xz.sha256</a> \
for instance.</div><div><br></div><div>These won&#39;t show up in the file listings, \
and are not files that are provided to mirrors - they are provided by our mirror \
management system (MIrrorbits) directly.</div><div><br></div><div>As an additional \
aside - we don&#39;t currently GPG sign our Git tags, so there is nothing validating \
that the person who made the release is actually the person whose name is on \
it.</div><div>With GPG signatures we can at least validate who owns the \
key.</div><div>  </div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br>
I do also think it is nice if we get someone else to verify that the<br>
tarball we ship actually matches the tag. I think some people in<br>
distributions have already started looking into verifying \
that.<br></blockquote><div><br></div><div>Hopefully they&#39;ll be gentle with \
tooling that does this?</div><div>  </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> <br>
Also, git tags can be moved.<br>
<br>
/Sune<br>
<br></blockquote><div><br></div><div>Cheers,</div><div>Ben  </div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic