[PATCH] gnu: add libglade
Hoping to gradually get back into packaging some stuff of interest. Here's libglade for now, if anything looks wrong be sure to let me know. :^) 0001-gnu-Add-libglade.patch Description: Binary data
Re: Signed archives (preliminary patch)
l...@gnu.org (Ludovic Courtès) writes: The difficulty here will be to compute the hash up to the Signature field. To do that, ‘read-narinfo’ should probably: 1. read everything from PORT with ‘get-string-all’ in a string (make sure PORT’s encoding is UTF-8); 2. isolate the lines before the ^[[:blank:]]*Signature[[:blank:]]: line; 3. compute the hash of those lines; 4. do (fields-alist (open-input-string the-whole-string)); 5. pass the hash to the signature verification procedure. Does that make sense? Apologies in advance if I'm failing to understand, but I'm concerned about bundling a single principal signature into the narinfo file. Not only does it cause the complications discussed above, but more importantly, it seems to introduce an architectural bias toward an authentication scheme where everyone is encouraged to place their trust in a single centralized build system. How do you envision the transition from this single-signature architecture to one where other users and/or independent build farms can add their signatures to hydra? Will those signatures be treated differently than the signatures created by hydra.gnu.org? Will they be stored and sent to users using a different mechanism? Regards, Mark
Re: [PATCH] gnu: add libglade
ggr...@riseup.net skribis: +(define-public libglade + (package +(name libglade) +(version 2.6.4) +(source (origin + (method url-fetch) + (uri (string-append + http://ftp.gnome.org/pub/GNOME/sources/libglade/2.6/libglade-; There’s Glade 3.8 in gnome.scm; is it a different thing? Thanks, Ludo’.
Re: Signed archives (preliminary patch)
How do you envision the transition from this single-signature architecture to one where other users and/or independent build farms can add their signatures to hydra? Will those signatures be treated differently than the signatures created by hydra.gnu.org? Will they be stored and sent to users using a different mechanism? Let’s not get ahead of ourselves. The “single signature” solution is far from being perfect, but it’s way better than nothing. I suspect that the “web of trust” thing would require a lot of effort. So I propose to postpone that until we implement the former since a bird in the hand is worth two in the bush. Even though that bird would be an obvious target for an attacker. c pgpE5bUEmHESc.pgp Description: PGP signature
Re: [PATCH] gnu: add libglade
ggr...@riseup.net skribis: +(define-public libglade + (package +(name libglade) +(version 2.6.4) +(source (origin + (method url-fetch) + (uri (string-append + http://ftp.gnome.org/pub/GNOME/sources/libglade/2.6/libglade-; There’s Glade 3.8 in gnome.scm; is it a different thing? Thanks, Ludo’. Yeah, I believe it's different. This is for GTK+2.x, not 3.x. It's mostly deprecated, but still used in a number of places that have yet to upgrade to it (GTK+3).
Re: Signed archives (preliminary patch)
There’s an important check missing here: the code verifies that BODY* is a valid signature, but it doesn’t check whether what it signs corresponds to this narinfo up to but excluding the ‘Signature’ field. Oh, indeed. 5. pass the hash to the signature verification procedure. Then, it should extract the other hash from the Signature line, compare the hashes, and run the rest of the checks, right? +(Signature . ,(lambda (narinfo) + (let ((sig (narinfo-signature narinfo))) +(string-append + (number-string (signature-version sig)) + ; + (signature-key-id sig) + ; + (base64-encode + ;; XXX: Can we assume UTF-8 here? + (string-utf8 + (canonical-sexp-string +(signature-body sig) It’s important to keep the original signatures intact. Not sure I follow. Can I simply use (Signature . ,narinfo-signature)? To fix this, the narinfo record must include an additional field to contain the original narinfo string. Please elaborate. Which string are you talking about? pgpADRO9kzyfQ.pgp Description: PGP signature
hydra.gnu.org migrates to /gnu/store!
Hello! hydra.gnu.org is under maintenance for a couple of days; the web front-end remains available, but builds don’t get queued. Among other things, it’s migrating from /nix/store to /gnu/store. Stay tuned! :-) Ludo’.
