12.2R Sigs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

12.2R Sigs

grarpamp
https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R/signatures.xml

Is it plan that 12.x 13.x etc continue with
provision of sig files for BETA and RC?
If so, process can be added to releng todo docs,
and the sig asc files pushed out to website,
and to download areas (https, ftp, rsync, torrent, etc)
alongside with the image datasets themselves.
If not, the docs can make note of the labels
to which sigs apply.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

Glen Barber-6
On Thu, Sep 17, 2020 at 03:41:22PM -0400, grarpamp wrote:

> https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R/signatures.xml
>
> Is it plan that 12.x 13.x etc continue with
> provision of sig files for BETA and RC?
> If so, process can be added to releng todo docs,
> and the sig asc files pushed out to website,
> and to download areas (https, ftp, rsync, torrent, etc)
> alongside with the image datasets themselves.
> If not, the docs can make note of the labels
> to which sigs apply.
>
They will be added with the first RC build, after the doc tree is tagged
for the final release.  Since moving the release notes and other related
documentation from base to doc, this introduced a bug in the order of
operations I have not yet figured out how to solve the right way.  In
other words, adding the signed BETA* checksums to the doc tree for the
12.1-BETA* builds, turned out to be an error.

(Also note, the signed checksums were not available for previous release
BETA builds.  And there is the PGP-signed email to stable@ that contains
them.)

Glen


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

grarpamp
> They will be added with the first RC build

Yes RC* seems the latest point in timeline
to begin excercise them.

> a bug in the order of operations

> And there is the PGP-signed email to stable@ that contains
> them.

Future noting that lists do not support foreknown path schemes
for that data. Whereas repo, website and dataset locations are more
predictable and programmatic... allowing fetching, validation, etc.

There could be a commit subsequent to tags, to hold all
relavant collected metadata results, created sigs, etc of
those tagged builds.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

Glen Barber-6
On Thu, Sep 17, 2020 at 08:03:54PM -0400, grarpamp wrote:

> > They will be added with the first RC build
>
> Yes RC* seems the latest point in timeline
> to begin excercise them.
>
> > a bug in the order of operations
>
> > And there is the PGP-signed email to stable@ that contains
> > them.
>
> Future noting that lists do not support foreknown path schemes
> for that data. Whereas repo, website and dataset locations are more
> predictable and programmatic... allowing fetching, validation, etc.
>
And for RC builds, they are predictable and programmatic.

> There could be a commit subsequent to tags, to hold all
> relavant collected metadata results, created sigs, etc of
> those tagged builds.

I am not on postmaster.

Glen


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

grarpamp
>> > And there is the PGP-signed email to stable@ that contains
>> > them.
>>
>> Future noting that lists do not support foreknown path schemes
>> for that data. Whereas repo, website and dataset locations are more
>> predictable and programmatic... allowing fetching, validation, etc.
>
> And for RC builds, they are predictable and programmatic.

Users would have to get and search the entire lists content to
find such sig posts, unfortunately no there are no nice predicted
paths to such single emails supporting simple fetch of associated
sig infos, ie: no schema <service>://<path_to_data>/13.x/<foo>.asc

Mail are not, it can't... ie: it has no hier, path, file globbing regex *, etc.

The website and distribution methods mentioned earlier are
possible. (Now just for RC and RELEASE, as clarified in thread.)

Website has them in nice paths today,

individually...
https://www.freebsd.org/releases/12.1R/signatures.html

and in bulk...
https://www.freebsd.org/releases/12.1R/announce.asc

but they are not present in what should be their natural
cohabitation set within the other distribution methods,
such as the case of https / ftp / rsync / torrent / etc for...
https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/

> I am not on postmaster.

What that mean in context?
Only some volunteer for that role, as any other,
it's ok not to be in two or more of them.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

Glen Barber-6
On Thu, Sep 17, 2020 at 09:09:26PM -0400, grarpamp wrote:

> >> > And there is the PGP-signed email to stable@ that contains
> >> > them.
> >>
> >> Future noting that lists do not support foreknown path schemes
> >> for that data. Whereas repo, website and dataset locations are more
> >> predictable and programmatic... allowing fetching, validation, etc.
> >
> > And for RC builds, they are predictable and programmatic.
>
> Users would have to get and search the entire lists content to
> find such sig posts, unfortunately no there are no nice predicted
> paths to such single emails supporting simple fetch of associated
> sig infos, ie: no schema <service>://<path_to_data>/13.x/<foo>.asc
>
> Mail are not, it can't... ie: it has no hier, path, file globbing regex *, etc.
>
> The website and distribution methods mentioned earlier are
> possible. (Now just for RC and RELEASE, as clarified in thread.)
>
> Website has them in nice paths today,
>
> individually...
> https://www.freebsd.org/releases/12.1R/signatures.html
>
> and in bulk...
> https://www.freebsd.org/releases/12.1R/announce.asc
>
> but they are not present in what should be their natural
> cohabitation set within the other distribution methods,
> such as the case of https / ftp / rsync / torrent / etc for...
> https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/
>
> > I am not on postmaster.
>
> What that mean in context?
> Only some volunteer for that role, as any other,
> it's ok not to be in two or more of them.
Sorry, something you said was misinterpreted by me, and I was answering
something that I thought you had asked, but had not.  So it is a bit
difficult for me to explain what I meant with this part of my reply.

In any case, after the doc tree is tagged (which is included on the
installation medium for reproducibility), RC1 and subsequent RCs and the
final RELEASE build will be programmatically fetchable.  The
announce.asc file is only created for the final RELEASE build, however.

Glen


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 12.2R Sigs

grarpamp
> [src's] included on the
> installation medium for reproducibility

Wherever the src.tgz, they should not be considered to be
unbreakable reproducible bitwise duplicate authentic or
traceable back to any repo since there is no provable cryptographic
chain back to same, only assertions over the breaking points,
which can and do fail in various ways.
Distributed cloneable distributable repo's based on crypto are
needed to do that, perhaps such as Monotone, or at least
sign Git's init hash.

https://monotone.ca/
https://git-scm.com/

> announce.asc file is only created for the final RELEASE build

Yes as those are nice milestones :)
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"