From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Mark H Weaver Newsgroups: gmane.lisp.guile.devel Subject: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?) Date: Sun, 16 Jun 2019 03:48:16 -0400 Message-ID: <87sgsa2co4.fsf@netris.org> References: <87d0jrp0g3.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="158622"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Cc: Andy Wingo , guile-devel To: Ludovic =?utf-8?Q?Court=C3=A8s?= Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sun Jun 16 09:50:41 2019 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hcPvz-000f6e-Ph for guile-devel@m.gmane.org; Sun, 16 Jun 2019 09:50:39 +0200 Original-Received: from localhost ([::1]:37988 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcPvy-0004hO-Dy for guile-devel@m.gmane.org; Sun, 16 Jun 2019 03:50:38 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52407) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcPvu-0004gy-9p for guile-devel@gnu.org; Sun, 16 Jun 2019 03:50:35 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hcPvt-0007aK-CF for guile-devel@gnu.org; Sun, 16 Jun 2019 03:50:34 -0400 Original-Received: from world.peace.net ([64.112.178.59]:51038) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hcPvt-0007Zn-8Q; Sun, 16 Jun 2019 03:50:33 -0400 Original-Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hcPvs-0008Qh-0B; Sun, 16 Jun 2019 03:50:32 -0400 In-Reply-To: <87d0jrp0g3.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 06 Jun 2019 10:44:44 +0200") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 64.112.178.59 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:19966 Archived-At: Hi Ludovic, Ludovic Court=C3=A8s writes: > What would you think of releasing =E2=80=98stable-2.2=E2=80=99 as 2.2.5? I think it's a fine idea. > It=E2=80=99s great if you can do it, Mark, but otherwise I can do it. Regrettably, Guile 2.2 has become too heavy to build on the only machine in my possession that I have any trust in. I don't have a machine that I consider sufficiently trustworthy to produce build outputs for wider distribution. I'm not sure that any of us do. To mitigate the risk that a compromised development machine could be used to attack others, I propose that we adopt a practice of distributed verification of release tarballs. We would publish code that uses Guix to produce the release tarball deterministically, and put out a call for volunteers to generate the tarball and post signed declarations containing the hash of the resulting tarball. After we have received several such declarations, we can sign and publish the official tarball. What do you think? Mark