From: "Ludovic Courtès" <ludo@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: Andy Wingo <wingo@igalia.com>, guile-devel <guile-devel@gnu.org>
Subject: Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Date: Sun, 16 Jun 2019 23:23:05 +0200 [thread overview]
Message-ID: <87a7eh6x8m.fsf@gnu.org> (raw)
In-Reply-To: <87sgsa2co4.fsf@netris.org> (Mark H. Weaver's message of "Sun, 16 Jun 2019 03:48:16 -0400")
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>> What would you think of releasing ‘stable-2.2’ as 2.2.5?
>
> I think it's a fine idea.
Awesome. We’ll have to update NEWS; I can give it a go, but if you
could add bullet items for the things you’ve worked on, that’d be great.
>> It’s great if you can do it, Mark, but otherwise I can do it.
>
> Regrettably, Guile 2.2 has become too heavy to build on the only machine
> in my possession that I have any trust in. I don't have a machine that
> I consider sufficiently trustworthy to produce build outputs for wider
> distribution. I'm not sure that any of us do.
Note that “make dist” is rather inexpensive; “distcheck” is much more
expensive though, but maybe avoidable for a minor release tarball.
> To mitigate the risk that a compromised development machine could be
> used to attack others, I propose that we adopt a practice of distributed
> verification of release tarballs. We would publish code that uses Guix
> to produce the release tarball deterministically, and put out a call for
> volunteers to generate the tarball and post signed declarations
> containing the hash of the resulting tarball. After we have received
> several such declarations, we can sign and publish the official tarball.
I don’t think this should block 2.2.5, but I think it’s an idea we
should explore.
One issue is that “make dist” is non-deterministic because the archive
contains timestamps; I’m sure there of other sources of non-determinism
though, because “make dist” was not designed with that in mind.
The non-source byproducts in release tarballs are: the pre-built .go
files (which are optional), psyntax-pp.scm, and then Info files and all
the autotools machinery. Are these those you had in mind?
Thoughts?
Ludo’.
next prev parent reply other threads:[~2019-06-16 21:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-06 8:44 Releasing 2.2.5? Ludovic Courtès
2019-06-06 8:56 ` Nala Ginrut
2019-06-06 16:48 ` Mike Gran
2019-06-16 7:48 ` Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?) Mark H Weaver
2019-06-16 21:23 ` Ludovic Courtès [this message]
2019-06-16 22:17 ` Mark H Weaver
2019-06-17 8:44 ` Ludovic Courtès
2019-06-19 2:48 ` Mark H Weaver
2019-06-20 10:54 ` Ludovic Courtès
2019-06-20 21:53 ` Mark H Weaver
2019-06-21 9:27 ` Neil Jerram
2019-07-25 4:15 ` Rob Browning
2019-07-25 8:58 ` Ricardo Wurmus
2019-07-25 15:26 ` Rob Browning
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a7eh6x8m.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guile-devel@gnu.org \
--cc=mhw@netris.org \
--cc=wingo@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).