Re: Linux-libre git repository

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Jason Self <jason@bluehome.net>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>
Cc: guix-devel@gnu.org
Subject: Re: Linux-libre git repository
Date: Thu, 13 Aug 2020 17:03:58 -0700	[thread overview]
Message-ID: <20200813170358.0bc41b92@pc> (raw)
In-Reply-To: <87wo22bihy.fsf@ponder>

[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]

On Thu, 13 Aug 2020 09:47:21 -0700
Vagrant Cascadian <vagrant@reproducible-builds.org> wrote:

> It is also possible to retrieve tarballs directly from linux-libre git
> tags, though I know at least projects hosted on github this does
> occasionally result in non-identical tarballs. Not sure what factors
> might trigger this, other than changing tags, but possibly different
> git versions, tar versions and flags, and compression tool versions
> and optimizations could be a factor. Reproducible builds has
> documented some potential causes:

Adding in compression changes this because, for just one example,
compression details can change between versions of compressors.

Assuming that there is no compression and there aren't changes in the
underlying git repository and assuming that git archive is invoked with
precisely the same parameters each time, git archive is supposed to
generate bit-identical tarballs between different platforms/versions of
git (it's considered a bug if it doesn't.)

Indeed, the Linux stable tree takes advantage of this reproducibility by
adding a GPG signature for the uncompressed tarballs as a git note under
refs/notes/signatures/tar. The signature also includes a comment
with the precise command to regenerate the uncompressed tarball with
git archive. This then makes it possible to verify a GPG signature of an
uncompressed tarball that way. An example is [0]. cgit automatically
adds the (sig) link when the corresponding git note is added in
refs/notes/signatures/tar but they can also be accessed directly from
within git.

I found that useful after learning that GPG signatures within git itself
"only validate the commit file contents up to the SHA-1 of the top level
tree, it's not a GPG signature of the entire tree state. This means that a
SHA-1 collision on the tree object, or any blob object, still results
in a valid GPG signature."

It seemed to be a neat way to sidestep the whole matter of SHA-1 falling
apart, at least until git moves on to SHA-2 at some as-yet-unknown
future point.

Anyway, the Linux-libre git repository similarly contains GPG
signatures for the uncompressed tarballs but as tags not as a git note
but either way the outcome is the same.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/

refs/notes/signatures/tar

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

next prev parent reply	other threads:[~2020-08-14  1:14 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-09 20:15 Linux-libre 5.8 and beyond Jason Self
2020-08-13  0:39 ` Mark H Weaver
2020-08-13 16:47   ` Linux-libre git repository Vagrant Cascadian
2020-08-14  0:03     ` Jason Self [this message]
2020-08-14 14:03     ` Danny Milosavljevic
2020-08-14 13:47   ` Linux-libre 5.8 and beyond Alexandre Oliva
2020-08-15  6:03     ` Mark H Weaver
2020-08-16  1:24       ` Mark H Weaver
2020-08-16 12:43         ` Jason Self
2020-08-16 10:54       ` Jason Self
2020-08-24  3:45       ` Alexandre Oliva
2020-08-25  4:14         ` Mark H Weaver
2020-08-25 11:12           ` Alexandre Oliva
2020-08-24  3:58       ` Alexandre Oliva
2020-08-24  4:12       ` Alexandre Oliva
2020-08-24  4:34       ` Alexandre Oliva
2020-08-24  4:42       ` Alexandre Oliva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200813170358.0bc41b92@pc \
    --to=jason@bluehome.net \
    --cc=guix-devel@gnu.org \
    --cc=vagrant@reproducible-builds.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).