Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
On Tue, Nov 24, 2009 at 10:33:16 -0500, Todd Zullinger wrote: > > What I'm here for is to gather ideas for how to properly go about > building the mingw32-sha256sum and keeping it around so that when I > extract the sha256sum.exe and upload it to fedoraproject.org we will > have the koji built rpm to compare the binary against. Otherwise, the > whole process falls back to "Trust that Todd didn't trojan the > executable." And while I'd be flattered if folks had that much trust > in me, I think it would be unwise to encourage or expect. :) I was thinking about what the gpl requirements are for publishing executables built with mingw are for another project that might be set up on fedorahosted. Since mingw stuff is likely to include staticly linked libraries, I think you need to have pointers to the sources for the versions of all of the included libraries. So while I haven't asked someone about this before, I was thinking that I would probably need to determine the libraries that got linked in and then note the versions that were used to do the build and include links into koji for all of the involved src rpms prominently on the download page. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Allen Kistler wrote: > I have the same opinion of signing the page with the hashes. The pages > that list the hashes for F12 are: > > https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM > https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM > > They are PGP-signed using *self-signed* keys listed in: > > https://fedoraproject.org/static/fedora.gpg > > One web page is signed using keys on another web page. So someone > > 1. Downloads the ISOs > 2. Checks the hash vs. the web page > 3. Checks the signature on the web page vs. a key on another web page > 4. Cannot check the key > > Unless you want people to: > > 4. Check the key vs. the one on the ISOs > > which gets circular. > > If we don't trust the page which has the hashes, why do we trust the > page which has the keys more? If someone can alter the ISOs and > then alter the published hashes to hide their tracks, why not alter > the published keys, as well? Ultimately I'm wondering what problem > we're solving by signing the web page in the first place. > > Sign the hash page with a key which descends from a verifiable, > trusted root (even a key signed by the release manager would be > better than self-signed), or don't sign the page. I lean toward not > signing, and IRL I'm a paranoid security guy. To be fair, the *-CHECKSUM files were only added to https://fedoraproject.org/static/checksums/ recently (F-11). And they are still widely available via mirrors and bit torrent. The GPG signatures are quite useful for anyone downloading the CHECKSUM files by those methods. I don't mind that the GPG keys are role keys and are not signed by (m)any other keys (though Jesse has signed some of them in the past). Using SSL to get the keys seems reasonable to me. All trust has to start somewhere. -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Some of the narrowest minds are found in the fattest heads. -- Anonymous pgpNk2Fd73Pnd.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Jesse Keating wrote: > Well, if you have to use a tool from the project, to verify other bits > from the project, the verification just became a lot less trusted. If > you don't trust the bits you got from the project, why would you trust > the tool the project gives you to verify the bits? "Here use this tool > to verify our bits. Trust us, we swear!" I have the same opinion of signing the page with the hashes. The pages that list the hashes for F12 are: https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM They are PGP-signed using *self-signed* keys listed in: https://fedoraproject.org/static/fedora.gpg One web page is signed using keys on another web page. So someone 1. Downloads the ISOs 2. Checks the hash vs. the web page 3. Checks the signature on the web page vs. a key on another web page 4. Cannot check the key Unless you want people to: 4. Check the key vs. the one on the ISOs which gets circular. If we don't trust the page which has the hashes, why do we trust the page which has the keys more? If someone can alter the ISOs and then alter the published hashes to hide their tracks, why not alter the published keys, as well? Ultimately I'm wondering what problem we're solving by signing the web page in the first place. Sign the hash page with a key which descends from a verifiable, trusted root (even a key signed by the release manager would be better than self-signed), or don't sign the page. I lean toward not signing, and IRL I'm a paranoid security guy. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Jesse Keating wrote: > I agree, I just wanted to point out the catch-22. Heh. I'm sorry if I came off a bit defensive. :) -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ The most overlooked advantage to owning a computer is that if they foul up, there's no law against whacking them around a little. -- Eric Porterfield pgpt9heWoClKy.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
On Tue, 2009-11-24 at 13:06 -0500, Todd Zullinger wrote: > I believe that providing a sha256sum.exe via https://fp.o/ is surely > an improvement over "Download the .iso and hope it works or check it > with some third-party checksum tool that we can't even hope to > verify." I agree, I just wanted to point out the catch-22. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Jeroen van Meeuwen wrote: > The goal is, of course, to verify the .iso against what is listed as > it's sha256sum. Whether the tools ultimately come from the same > source doesn't matter. It should, though, be advisable to not > include the sha246sum.exe on the mirrors, and only serve the file > over http over ssl. Indeed, that's the plan. It would be served up via SSL, just as the GPG keys and *-CHECKSUM files are currently. That way, if someone comes to https://fedoraproject.org/verify, they at least have our SSL certificate as a starting point for trust. -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Chemistry is applied theology. -- Augustus Owsley Stanley pgp0qos7fFgIc.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Jesse Keating wrote: > Well, if you have to use a tool from the project, to verify other > bits from the project, the verification just became a lot less > trusted. If you don't trust the bits you got from the project, why > would you trust the tool the project gives you to verify the bits? > "Here use this tool to verify our bits. Trust us, we swear!" At some point, people need to bootstrap. The situation now is that there isn't a well trusted tool on Windows that we can point users to for verifying the *-CHECKSUM files (if you know differently, please let me know). I'd like to improve that by providing a sha256sum.exe that we can provide source code for, just as any decent cryptographic tool should have. I also think it's important to keep in mind that the use for the sha256sum.exe is to verify that the bits they downloaded are intact, not that they have not been altered. To verify authenticity, checking the PGP signature on the *-CHECKSUM file is required. We explain how to do both on https://fedoraproject.org/verify. Many users, especially Windows users, only care about verifying the data's integrity. I believe that providing a sha256sum.exe via https://fp.o/ is surely an improvement over "Download the .iso and hope it works or check it with some third-party checksum tool that we can't even hope to verify." -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ You will rue this day! Well, go on! Start ruing! -- Stewie Griffin pgpolZjsdXIMc.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
Thanks for all your help, I can do without F11/12 for a few more days. :) The problems are fixed finally. -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = Sent from Calcutta, WB, India ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
> AFAIK, pysqlite has moved to googlecode -- if something is redirecting to > pysqlite.org, then that needs to be fixed pysqlite side. In the meantime, > is there a reason that yum install python-sqlite2 doesn't give you what you > need? python-sqlite2 and the libs were there, I had to install pysqlite from source. Now that I have solved it, it now complains about sqlalchemy.exc.ProgrammingError:. I can get it working, that's not the problem, but was looking for a easy solution :) -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = Sent from Calcutta, WB, India ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
On Tue, Nov 24, 2009 at 10:12:14PM +0530, susmit shannigrahi wrote: > > easy_install -U pysqlite > > is not working for last few hours. > > http://pastebin.com/m343eee84 > Thanks. > AFAIK, pysqlite has moved to googlecode -- if something is redirecting to pysqlite.org, then that needs to be fixed pysqlite side. In the meantime, is there a reason that yum install python-sqlite2 doesn't give you what you need? -Toshio pgpsNeBM1nT35.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
On 11/24/2009 05:25 PM, Jesse Keating wrote: > On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote: >> (I really don't want to maintain the mingw32-sha256sum package for >> Fedora, as it's just a quick and dirty hack to built a small subset of >> of coreutils for Windows.) >> >> Thoughts? > > Well, if you have to use a tool from the project, to verify other bits > from the project, the verification just became a lot less trusted. If > you don't trust the bits you got from the project, why would you trust > the tool the project gives you to verify the bits? "Here use this tool > to verify our bits. Trust us, we swear!" > While this is completely true for, say winxpsp2.iso vs. m$-md5um.exe, mind that the sources to sha256sum.exe are actually available and can be verified on a completely verifiable stack one does already trust (verifiable except for x86 CPU inaccuracy of course). If not the transparency helps to boost the trustworthiness, or if that's not trustworthy enough, then how does one verify a binary rpm actually comes from the source that is shipped alongside with it, not to even mention gnupg shipped by Fedora against RPMs shipped by Fedora. Then, if trust was anything worth being concerned about why would you even need a .exe in the first place? For all you know the OS itself makes the .exe say OK or NOT OK in very, very arbitrary ways you can't verify. The goal is, of course, to verify the .iso against what is listed as it's sha256sum. Whether the tools ultimately come from the same source doesn't matter. It should, though, be advisable to not include the sha246sum.exe on the mirrors, and only serve the file over http over ssl. -- Jeroen ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
On Tue, Nov 24, 2009 at 9:25 AM, Jesse Keating wrote: > On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote: >> Some of you might be aware that the instructions for verifying our >> *-CHECKSUM files on Windows have been broken since we moved to SHA256. >> Previously, we linked users to a sha1sum.exe built by the GnuPG >> project. With SHA256, we don't have that ability. >> >> Fortunately, the good folks working on MingW have made it possible for >> us to build a sha256sum.exe from the coreutils sources. We can do >> this in koji even. (A huge thanks to Richard Jones for his help and >> patches.) >> >> Much of this is discussed at https://bugzilla.redhat.com/527060. >> >> I've created a simple mingw32-sha256sum package, built it in koji and >> tested it on the lone Windows XP system I have readily available. Of >> course, I just built this as a scratch build, so it will expire at >> some point. >> >> What I'm here for is to gather ideas for how to properly go about >> building the mingw32-sha256sum and keeping it around so that when I >> extract the sha256sum.exe and upload it to fedoraproject.org we will >> have the koji built rpm to compare the binary against. Otherwise, the >> whole process falls back to "Trust that Todd didn't trojan the >> executable." And while I'd be flattered if folks had that much trust >> in me, I think it would be unwise to encourage or expect. :) >> >> (I really don't want to maintain the mingw32-sha256sum package for >> Fedora, as it's just a quick and dirty hack to built a small subset of >> of coreutils for Windows.) >> >> Thoughts? > > Well, if you have to use a tool from the project, to verify other bits > from the project, the verification just became a lot less trusted. If > you don't trust the bits you got from the project, why would you trust > the tool the project gives you to verify the bits? "Here use this tool > to verify our bits. Trust us, we swear!" Well giving people the instructions on how to compile this and getting a 'neutral' party to make these for the various Linux distributions would help. Depending on your level of trust, we could ask linux foundation, fsf or heck even micros.. ok scratch that one. But basically we can make our own for the time being and give out plain instructions for people to make them so that they can be replicated. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
> easy_install -U pysqlite > is not working for last few hours. http://pastebin.com/m343eee84 Thanks. -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = Sent from Calcutta, WB, India ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
> Fedora Community is TG2 and it runs on python2.4... Is it a dep of the > particular app that requires a newer python? Nah, the problem I am having is: easy_install -U pysqlite is not working for last few hours. (Download error: (-3, 'Temporary failure in name resolution') -- Some packages may not be found! ) -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = Sent from Calcutta, WB, India ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
On Tue, Nov 24, 2009 at 09:15:32PM +0530, susmit shannigrahi wrote: > Hi, > > When I try to test TG2 apps on publictest machines, they shout about > python 2.4 and what not. > Is there a spare machine which runs python 2.6? If yes, I could use it. > Thanks. > Fedora Community is TG2 and it runs on python2.4... Is it a dep of the particular app that requires a newer python? -Toshio pgptHRFuEenax.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote: > Some of you might be aware that the instructions for verifying our > *-CHECKSUM files on Windows have been broken since we moved to SHA256. > Previously, we linked users to a sha1sum.exe built by the GnuPG > project. With SHA256, we don't have that ability. > > Fortunately, the good folks working on MingW have made it possible for > us to build a sha256sum.exe from the coreutils sources. We can do > this in koji even. (A huge thanks to Richard Jones for his help and > patches.) > > Much of this is discussed at https://bugzilla.redhat.com/527060. > > I've created a simple mingw32-sha256sum package, built it in koji and > tested it on the lone Windows XP system I have readily available. Of > course, I just built this as a scratch build, so it will expire at > some point. > > What I'm here for is to gather ideas for how to properly go about > building the mingw32-sha256sum and keeping it around so that when I > extract the sha256sum.exe and upload it to fedoraproject.org we will > have the koji built rpm to compare the binary against. Otherwise, the > whole process falls back to "Trust that Todd didn't trojan the > executable." And while I'd be flattered if folks had that much trust > in me, I think it would be unwise to encourage or expect. :) > > (I really don't want to maintain the mingw32-sha256sum package for > Fedora, as it's just a quick and dirty hack to built a small subset of > of coreutils for Windows.) > > Thoughts? Well, if you have to use a tool from the project, to verify other bits from the project, the verification just became a lot less trusted. If you don't trust the bits you got from the project, why would you trust the tool the project gives you to verify the bits? "Here use this tool to verify our bits. Trust us, we swear!" -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Is there F11/12 test boxes around?
I hadn't heard of any rebuilds of pt machines to F11 or F12. You might be able to rebuild one machine, but I don't know any free pt boxes that are currently Fedora, the ones I know are free are RHEL. Darren VanBuren - Sent from my iPod Take control of your desktop with Fedora 11. Reign. http://fedoraproject.org/ On Nov 24, 2009, at 7:45, susmit shannigrahi wrote: Hi, When I try to test TG2 apps on publictest machines, they shout about python 2.4 and what not. Is there a spare machine which runs python 2.6? If yes, I could use it. Thanks. -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Is there F11/12 test boxes around?
Hi, When I try to test TG2 apps on publictest machines, they shout about python 2.4 and what not. Is there a spare machine which runs python 2.6? If yes, I could use it. Thanks. -- Regards, Susmit. = http://www.fedoraproject.org/wiki/user:susmit = ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Some of you might be aware that the instructions for verifying our *-CHECKSUM files on Windows have been broken since we moved to SHA256. Previously, we linked users to a sha1sum.exe built by the GnuPG project. With SHA256, we don't have that ability. Fortunately, the good folks working on MingW have made it possible for us to build a sha256sum.exe from the coreutils sources. We can do this in koji even. (A huge thanks to Richard Jones for his help and patches.) Much of this is discussed at https://bugzilla.redhat.com/527060. I've created a simple mingw32-sha256sum package, built it in koji and tested it on the lone Windows XP system I have readily available. Of course, I just built this as a scratch build, so it will expire at some point. What I'm here for is to gather ideas for how to properly go about building the mingw32-sha256sum and keeping it around so that when I extract the sha256sum.exe and upload it to fedoraproject.org we will have the koji built rpm to compare the binary against. Otherwise, the whole process falls back to "Trust that Todd didn't trojan the executable." And while I'd be flattered if folks had that much trust in me, I think it would be unwise to encourage or expect. :) (I really don't want to maintain the mingw32-sha256sum package for Fedora, as it's just a quick and dirty hack to built a small subset of of coreutils for Windows.) Thoughts? -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Courage is not the absence of fear, but rather the judgment that something else is more important than fear. -- Ambrose Redmoon pgpbkAbsVJEW5.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: introduction
hey Toshio, thank you very much. I'll join the whiteboarding project regards, pablomar On Mon, Nov 23, 2009 at 9:53 PM, Toshio Kuratomi wrote: > On Sat, Nov 21, 2009 at 03:08:06PM -0500, pablomar wrote: > > hi guys, > > > > my name is pablo martinez, I've been using fedora at home since version 3 > > I'm C/C++ and Java programmer and I did a little of python some years ago > (I > > still use it for small things). I've also worked with Oracle and Pro*C > > I want to collaborate as much as I can > > > Welcome! > > We do a fair amount of coding in Fedora Infrastructure creating web > applications for the project. Most of that work is done in python. We're > using the TurboGears1 and TurboGears2 frameworks for those. If you're > interested in that we can help get you started. > > If you're more interested in doing some work in C++, there's a few upstream > projects that would definitely benefit Fedora for getting some attention. > > For instance, we have been wanting to get a good open source whiteboarding > tool working with Fedora so that we can make mockups, create diagrams, and > make use of other pictorial things during meetings. Inkscape has the > beginnings of a plugin but it needs someone to work on it to actually make > it actually work. If you're interested in that, the upstream developers > are > quite interested in getting some help and one of the devs is willing to > help > get someone up to speed on what needs to be done: > > Blog post on getting the whiteboard plugin worked on: > http://www.advogato.org/person/badger/diary/82.html > > The KDE SIG is another Fedora group that is in need of C++ coders. Right > now we have a good group of KDE packagers but having a few more coders will > let them work more closely on any bugs that occur and also help drive > features upstream. If you use the KDE desktop, they'd be very happy to > hear > from more coders: > https://fedoraproject.org/wiki/SIGs/KDE > > -Toshio > > ___ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
