From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CB6dCioqOV8bbgAA0tVLHw (envelope-from ) for ; Sun, 16 Aug 2020 12:44:26 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eFxwBioqOV8WKQAA1q6Kng (envelope-from ) for ; Sun, 16 Aug 2020 12:44:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9DA71940714 for ; Sun, 16 Aug 2020 12:44:25 +0000 (UTC) Received: from localhost ([::1]:48182 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k7I1Q-0005Bh-GE for larch@yhetil.org; Sun, 16 Aug 2020 08:44:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60134) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k7I13-0005Ba-3O for guix-devel@gnu.org; Sun, 16 Aug 2020 08:44:01 -0400 Received: from bluehome.net ([96.66.250.149]:60214) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k7I11-0001k9-87 for guix-devel@gnu.org; Sun, 16 Aug 2020 08:44:00 -0400 Received: from pc (pc.lan [10.0.0.51]) by bluehome.net (Postfix) with ESMTPSA id 243D94B404A0; Sun, 16 Aug 2020 05:43:56 -0700 (PDT) Date: Sun, 16 Aug 2020 05:43:54 -0700 From: Jason Self To: Mark H Weaver Subject: Re: Linux-libre 5.8 and beyond Message-ID: <20200816054354.722d6934@pc> In-Reply-To: <87d03rgz70.fsf@netris.org> References: <87d03vv0nm.fsf@netris.org> <875z9kv41h.fsf@netris.org> <87d03rgz70.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/nlOJ5zPnAPElVkpbZOFC2IO"; protocol="application/pgp-signature" Received-SPF: pass client-ip=96.66.250.149; envelope-from=jason@bluehome.net; helo=bluehome.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/16 06:54:47 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -0.61 X-TUID: pXzAJSpB/puh --Sig_/nlOJ5zPnAPElVkpbZOFC2IO Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 15 Aug 2020 21:24:08 -0400 Mark H Weaver wrote: > Hi Alexandre, >=20 > I thought about it some more, and I've changed my mind on one point: > I've decided that for future kernel updates, in order to eliminate the > risk of unintentionally allowing blobs into Guix, I will either wait > for Linux-libre to publish updated deblob scripts, or else I will > manually check for new blobs. This can be determined by checking for the availability of the new kernel version in git. The git repository is updated first, prior to tarballs being created so I assume you'd want to be looking there given that speed of updates seems important. If the new kernel version appears without a corresponding script update then you can know that no script updates were determined to be necessary. Wouldn't a better setup be to obtain the desired kernel version from Linux-libre, obtain the desired kernel version from kernel.org, independently run the clean-up scripts, and then toss out the results from kernel.org once the source code is determined to be identical?* I mean, if you're already willing to wait until the analysis of whether updated cleanup scripts are needed or not has been done, then you're already at the point of the Linux-libre kernel source code being available too because once that determination is made, any updated scripts and the corresponding kernel source code are pushed into git simultaneously. Confirming if the results you get from the cleanup scripts are the same is helpful all around. It is not necessary to trust the Linux-libre project infrastructure because you're also verifying the integrity and also gets you access to the double verification steps that are done which check that the version does in fact correspond to the upstream version plus the changes that Linux-libre made, and that it also corresponds to the previous release plus the incremental patches. * As a disclaimer there may be one difference in that the clean-up scripts will in some cases delete all of the files in a directory while leaving the directory itself in place. Git doesn't track empty directories and so diffing of the entire kernel source code would reveal that. The diff should otherwise report everything to be identical. --Sig_/nlOJ5zPnAPElVkpbZOFC2IO Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJfOSoLAAoJEJ0NsxtUWjGYLMoP/3M3TUNICJl5bY67tqPHiQx0 pavJgFpDBvWlNx9Apvh93J7dPGfAb1GVSYH7WWgMwtIK015o00PuHeERUPdwJtIp gwrFQDUQMHlRy5sQxB5li2J3e3DdrZCWW6xNKuXSxDjqLROuhkTJO9DlX92sQTRz djOpODs+ViHpPlvewbWAUHefUha7Ae+tuomO0Kchhgds/qjrpz326dMi+Ecwomuc eJ2amK0KIV1msMU0yi2Fq9TJXHTsUwm2FCzoC3RZjpU+4bxFoesbqWjPndkF5mvC fKVrPty1hinuj2c/YTHhcOoyzbxa/AIcyFjavkzNaCR4RwR5pD4i/q8JfhIhV6P3 E/mpBVCG2D6RTUrmr/uTh6HeHXuX1RC5FA/j35lo7O0OXiwV/gMPlH5yqaxSXMdC sWLUTctlnWVXYgg2QcHKupUO6EjgA0GKosiG7d7+A3ogxwFRVSHANnAC6qxPimke lyz7Qk/rqfEJQUrr/iWdVrNA68pGGWQyp3XajTc3MaAi0F2HGouXAl15qwKQxb3T hlaD/RxSZHbhjeoCAKxVaSgnM8x7Js/YPJGFy98v63Rkrhc27KB84tKxGh3ygMy8 qKy3oLO8rStZ3hLmJPG3VnEw6Qv4pmFLDMqPk7nrM2Bm5h6/yEYTyD1VmbEL7FX+ K/4qZlKSMO+KU3teMn0P =9tTK -----END PGP SIGNATURE----- --Sig_/nlOJ5zPnAPElVkpbZOFC2IO--