On streda 3. apríla 2024 18:34:04 CEST Albert Vaca Cintora wrote:
> Hi KDE folks,
>
> The recent xz backdoor scandal made me realize how bad and obsolete
> distributing tarballs is. The source of truth for our code are the
> repositories, and releases can simply be tags on those repos.
>
> As a
On Thursday 4 April 2024 04:26:57 PDT Sune Vuorela wrote:
> 'does it use autotools?'
The outcome of this is "please migrate off Autotools".
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Principal Engineer - Intel DCAI Cloud Engineering
On Thursday, 4 April 2024 13:26:57 CEST, Sune Vuorela wrote:
On 2024-04-04, Ben Cooksley wrote:
I do also think it is nice if we get someone else to verify that the
tarball we ship actually matches the tag. I think some people in
distributions have already started looking into verifying that.
On Thursday, 4 April 2024 13:07:42 CEST, Ben Cooksley wrote:
[snip]
As an additional aside - we don't currently GPG sign our Git tags, so there
is nothing validating that the person who made the release is actually the
person whose name is on it.
With GPG signatures we can at least validate who
Neal Gompa 于 2024年4月4日周四 22:19写道:
>
> That's fair, but they are not permanent and can be reaped when they're
> not referenced by anything anymore.
>
If you pull these release commits in a "download" server and restrict write
access to it, not giving everyone permission to delete a tag, just
On Thu, Apr 4, 2024 at 10:18 AM Jin Liu wrote:
>
>
> Neal Gompa 于 2024年4月4日周四 22:09写道:
> > and because Git has no immutability
> guarantees, it's not exactly ideal as an input either.
>
> Commits and trees in git are immutable. Refs like tags and branches are not.
That's fair, but they are not
Neal Gompa 于 2024年4月4日周四 22:09写道:
> and because Git has no immutability
guarantees, it's not exactly ideal as an input either.
Commits and trees in git are immutable. Refs like tags and branches are not.
On Thu, Apr 4, 2024 at 9:52 AM Harald Sitter wrote:
>
> On Thu, Apr 4, 2024 at 3:38 PM Tobias Leupold wrote:
> >
> > Am 04.04.24 um 13:25 schrieb Harald Sitter:
> > > On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold wrote:
> > >> Just what comes into my mind at once. A release is not always only
On Thu, Apr 4, 2024 at 3:38 PM Tobias Leupold wrote:
>
> Am 04.04.24 um 13:25 schrieb Harald Sitter:
> > On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold wrote:
> >> Just what comes into my mind at once. A release is not always only a git
> >> tag.
> >
> > Doesn't that make your source tarball a
Am 04.04.24 um 13:25 schrieb Harald Sitter:
On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold wrote:
Just what comes into my mind at once. A release is not always only a git tag.
Doesn't that make your source tarball a derived work from the source
in your git tag?
Yes, of course! this was the
The tree-id of a git commit is effectively a checksum of all files. So you
can ask packagers to pull a specific commit and verify either commit-id or
tree-id. No extra verification step needed.
Sune Vuorela 于 2024年4月4日周四 17:48写道:
> On 2024-04-03, Albert Vaca Cintora wrote:
> > What's the
On 2024-04-04, Ben Cooksley wrote:
>> I do also think it is nice if we get someone else to verify that the
>> tarball we ship actually matches the tag. I think some people in
>> distributions have already started looking into verifying that.
>>
>
> Hopefully they'll be gentle with tooling that
On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold wrote:
> Just what comes into my mind at once. A release is not always only a git tag.
Doesn't that make your source tarball a derived work from the source
in your git tag?
On Thu, Apr 4, 2024 at 10:48 PM Sune Vuorela wrote:
> On 2024-04-03, Albert Vaca Cintora wrote:
> > What's the advantage of providing tarballs?
>
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
>
E-Mail von Albert Vaca Cintora vom Mittwoch, 3. April 2024, 18:34:04 CEST:
> Hi KDE folks,
>
> The recent xz backdoor scandal made me realize how bad and obsolete
> distributing tarballs is. The source of truth for our code are the
> repositories, and releases can simply be tags on those repos.
>
On 2024-04-03, Albert Vaca Cintora wrote:
> What's the advantage of providing tarballs?
I do think there is an advantage in being able to verify that the soure
tarball is the same across distributions. Using a checksum on the
tarball is an easy way of doing it. Different git invocations for git
Hi KDE folks,
The recent xz backdoor scandal made me realize how bad and obsolete
distributing tarballs is. The source of truth for our code are the
repositories, and releases can simply be tags on those repos.
As a big free software community, I think we should lead by example
and get rid of
17 matches
Mail list logo
