From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Newsgroups: gmane.lisp.guile.devel Subject: Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?) Date: Sun, 16 Jun 2019 23:23:05 +0200 Message-ID: <87a7eh6x8m.fsf@gnu.org> References: <87d0jrp0g3.fsf@gnu.org> <87sgsa2co4.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="139983"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Cc: Andy Wingo , guile-devel To: Mark H Weaver Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sun Jun 16 23:23:27 2019 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hcccX-000aDU-QD for guile-devel@m.gmane.org; Sun, 16 Jun 2019 23:23:25 +0200 Original-Received: from localhost ([::1]:42978 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcccW-00043Q-Se for guile-devel@m.gmane.org; Sun, 16 Jun 2019 17:23:24 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38209) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcccG-000438-S6 for guile-devel@gnu.org; Sun, 16 Jun 2019 17:23:10 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:35036) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hcccF-0005BO-Kq; Sun, 16 Jun 2019 17:23:08 -0400 Original-Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=57016 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hcccF-0005s8-5o; Sun, 16 Jun 2019 17:23:07 -0400 X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 Prairial an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu In-Reply-To: <87sgsa2co4.fsf@netris.org> (Mark H. Weaver's message of "Sun, 16 Jun 2019 03:48:16 -0400") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:19971 Archived-At: Hi Mark, Mark H Weaver skribis: > Ludovic Court=C3=A8s writes: >> What would you think of releasing =E2=80=98stable-2.2=E2=80=99 as 2.2.5? > > I think it's a fine idea. Awesome. We=E2=80=99ll have to update NEWS; I can give it a go, but if you could add bullet items for the things you=E2=80=99ve worked on, that=E2=80= =99d be great. >> It=E2=80=99s great if you can do it, Mark, but otherwise I can do it. > > Regrettably, Guile 2.2 has become too heavy to build on the only machine > in my possession that I have any trust in. I don't have a machine that > I consider sufficiently trustworthy to produce build outputs for wider > distribution. I'm not sure that any of us do. Note that =E2=80=9Cmake dist=E2=80=9D is rather inexpensive; =E2=80=9Cdistc= heck=E2=80=9D is much more expensive though, but maybe avoidable for a minor release tarball. > To mitigate the risk that a compromised development machine could be > used to attack others, I propose that we adopt a practice of distributed > verification of release tarballs. We would publish code that uses Guix > to produce the release tarball deterministically, and put out a call for > volunteers to generate the tarball and post signed declarations > containing the hash of the resulting tarball. After we have received > several such declarations, we can sign and publish the official tarball. I don=E2=80=99t think this should block 2.2.5, but I think it=E2=80=99s an = idea we should explore. One issue is that =E2=80=9Cmake dist=E2=80=9D is non-deterministic because = the archive contains timestamps; I=E2=80=99m sure there of other sources of non-determi= nism though, because =E2=80=9Cmake dist=E2=80=9D was not designed with that in m= ind. The non-source byproducts in release tarballs are: the pre-built .go files (which are optional), psyntax-pp.scm, and then Info files and all the autotools machinery. Are these those you had in mind? Thoughts? Ludo=E2=80=99.