You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Julian Foad <ju...@apache.org> on 2019/09/30 16:34:11 UTC
Re: Link to KEYS file on our download page
Julian Foad wrote on 2019-03-13:
> Daniel Shahaf wrote:
>> I replied on dev@whimsical arguing that an ASF-wide mechanism should be
>> put in place for automatically generating KEYS files meeting the
>> requirements stated on the referenced page and suggesting an implementation.
>
> Thanks! Sounds good. For anyone wanting to read or follow, that reply is at:
> https://lists.apache.org/thread.html/44164aa23523861a8f5b516de791a15f10846bc2aec8620732c481c8@%3Cdev.whimsical.apache.org%3E
>
>> In the meantime, if those alleged requirements are actually Foundation
>> policy then we should manually copy /keys/group/subversion.asc to
>> /dist/release/KEYS.
>
> Let's see if we can get traction on your proposal.
Nothing happened there.
I have now manually added a copy
of https://people.apache.org/keys/group/subversion.asc
to https://www.apache.org/dist/subversion/KEYS
via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
and updated our download page to point to it (r1867780).
- Julian
Re: Link to KEYS file on our download page
Posted by Julian Foad <ju...@apache.org>.
Julian Foad wrote on 2019-09-30:
> Julian Foad wrote on 2019-03-13:
>> Daniel Shahaf wrote:
>>> I replied on dev@whimsical arguing that an ASF-wide mechanism should be
>>> put in place for automatically generating KEYS files meeting the
>>> requirements stated on the referenced page and suggesting an
>>> implementation.
>>
>> Thanks! Sounds good. For anyone wanting to read or follow, that reply
>> is at:
>> https://lists.apache.org/thread.html/44164aa23523861a8f5b516de791a15f10846bc2aec8620732c481c8@%3Cdev.whimsical.apache.org%3E
>>
>>> In the meantime, if those alleged requirements are actually Foundation
>>> policy then we should manually copy /keys/group/subversion.asc to
>>> /dist/release/KEYS.
>>
>> Let's see if we can get traction on your proposal.
>
> Nothing happened there.
>
> I have now manually added a copy
> of https://people.apache.org/keys/group/subversion.asc
> to https://www.apache.org/dist/subversion/KEYS
> via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> and updated our download page to point to it (r1867780).
Daniel has now committed http://svn.apache.org/r1869135 ,
"Automatically add to dist/ a current KEYS file with each release."
I am putting this in place just in time for 1.13.0.
The 1.13.0 downloads table on
http://subversion-staging.apache.org/download.cgi#recommended-release
now includes links to
https://www.apache.org/dist/subversion/subversion-1.13.0.KEYS
- Julian
Re: Link to KEYS file on our download page
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Daniel Shahaf wrote on Mon, Sep 30, 2019 at 17:00:23 +0000:
> Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00:
> > Nothing happened there.
> >
> > I have now manually added a copy
> > of https://people.apache.org/keys/group/subversion.asc
> > to https://www.apache.org/dist/subversion/KEYS
> > via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> > and updated our download page to point to it (r1867780).
>
> Thanks.
>
> However, I still wonder why we shouldn't have this command run automatically —
> .
> curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS
> .
> — and be done with it for good. It could be run from release.py, for example.
I think the following should do it, though we may want to ask Infra to add
a «*.KEYS» pattern to their rsyncd.conf exclude= line, to prevent the *.KEYS
files from being mirrored. (That's already true for *.asc files.)
[[[
release.py: Automatically add to dist/ a current KEYS file with each release.
In particular, this means versioned KEYS files will be archived to
archive.a.o/dist/, and will continue to contain keys after those have
been removed from a committer's id.a.o profile.
* tools/dist/release.py
(download_file): Make checksum verification opt-outable.
(roll_tarballs): Download the KEYS file to the target directory.
Rely on TLS for authenticity and integrity of the downloaded
file (as we already do for authenticity and integrity of the subsequent
commit operation).
* tools/dist/templates/download.ezt,
* tools/dist/templates/rc-release-ann.ezt,
* tools/dist/templates/stable-release-ann.ezt:
Link to the per-release KEYS file.
]]]
[[[
Index: tools/dist/release.py
===================================================================
--- tools/dist/release.py (revision 1867888)
+++ tools/dist/release.py (working copy)
@@ -294,7 +294,14 @@ def run_script(verbose, script, hide_stderr=False)
for l in script.split('\n'):
run_command(l.split(), verbose, hide_stderr)
-def download_file(url, target, checksum):
+def download_file(url, target, checksum):
+ """Download the file at URL to the local path TARGET.
+ If CHECKSUM is a string, verify the checksum of the downloaded
+ file and raise RuntimeError if it does not match. If CHECKSUM
+ is None, do not verify the downloaded file.
+ """
+ assert checksum is None or isinstance(checksum, str)
+
response = urllib2.urlopen(url)
target_file = open(target, 'w+')
target_file.write(response.read())
@@ -303,7 +310,7 @@ def run_script(verbose, script, hide_stderr=False)
m.update(target_file.read())
target_file.close()
checksum2 = m.hexdigest()
- if checksum != checksum2:
+ if checksum is not None and checksum != checksum2:
raise RuntimeError("Checksum mismatch for '%s': "\
"downloaded: '%s'; expected: '%s'" % \
(target, checksum, checksum2))
@@ -966,7 +973,12 @@ def roll_tarballs(args):
shutil.copy(os.path.join(get_workdir(args.base_dir),
'subversion', 'include', 'svn_version.h'),
os.path.join(get_target(args),
- 'svn_version.h.dist-%s' % str(args.version)))
+ 'svn_version.h.dist-%s'
+ % (str(args.version),)))
+ download_file(KEYS,
+ os.path.join(get_target(args),
+ 'subversion-%s.KEYS' % (str(args.version),)),
+ None)
# And we're done!
Index: tools/dist/templates/download.ezt
===================================================================
--- tools/dist/templates/download.ezt (revision 1867888)
+++ tools/dist/templates/download.ezt (working copy)
@@ -4,10 +4,12 @@
<th>File</th>
<th>Checksum (SHA512)</th>
<th>Signatures</th>
+ <th>PGP Public Keys</th>
</tr>
[for fileinfo]<tr>
<td><a href="[[]preferred]subversion/[fileinfo.filename]">[fileinfo.filename]</a></td>
<td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].sha512">SHA-512</a>]</td>
- <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP</a>]</td>
+ <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP signatures</a>]</td>
+ <td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].KEYS">PGP keyring</a>]</td>
</tr>[end]
</table>
Index: tools/dist/templates/rc-release-ann.ezt
===================================================================
--- tools/dist/templates/rc-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/rc-release-ann.ezt (working copy)
@@ -23,6 +23,10 @@ PGP Signatures are available at:
For this release, the following people have provided PGP signatures:
[siginfo]
+These public keys are available at:
+
+ https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
This is a pre-release for what will eventually become version [major-minor-patch] of the
Apache Subversion open source version control system. It may contain known
issues, a complete list of [major-minor-patch]-blocking issues can be found
Index: tools/dist/templates/stable-release-ann.ezt
===================================================================
--- tools/dist/templates/stable-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/stable-release-ann.ezt (working copy)
@@ -34,6 +34,10 @@ PGP Signatures are available at:
For this release, the following people have provided PGP signatures:
[siginfo]
+These public keys are available at:
+
+ https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
Release notes for the [major-minor].x release series may be found at:
https://subversion.apache.org/docs/release-notes/[major-minor].html
]]]
Cheers,
Daniel
Re: Link to KEYS file on our download page
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00:
> Nothing happened there.
>
> I have now manually added a copy
> of https://people.apache.org/keys/group/subversion.asc
> to https://www.apache.org/dist/subversion/KEYS
> via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> and updated our download page to point to it (r1867780).
Thanks.
However, I still wonder why we shouldn't have this command run automatically —
.
curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS
.
— and be done with it for good. It could be run from release.py, for example.
Re: Link to KEYS file on our download page
Posted by Nathan Hartman <ha...@gmail.com>.
On Wed, Oct 2, 2019 at 1:32 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Nathan Hartman wrote on Wed, 02 Oct 2019 15:41 +00:00:
> > If there's anything else I need to do, please let me know.
>
> For bonus points, get your key cross-signed and linked to the web of trust :)
Agreed. I am keeping an eye out for key signing opportunities...
Re: Link to KEYS file on our download page
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Nathan Hartman wrote on Wed, 02 Oct 2019 15:41 +00:00:
> Nathan Hartman wrote:
> > The ASF committer keys list (https://people.apache.org/keys/committer/)
> > is showing my key as "key not found." Not really sure what to do about
> > that.
>
> I checked again and my key is found now. :-)
I can retrieve it too (two successes out of two attempts).
> > Also, some ASF help page (that I can't seem to locate now) said I need
> > to add my key to a KEYS file. Not sure where that is.
>
> Well this answers that question!
>
> If there's anything else I need to do, please let me know.
For bonus points, get your key cross-signed and linked to the web of trust :)
Cheers,
Daniel
Re: Link to KEYS file on our download page
Posted by Nathan Hartman <ha...@gmail.com>.
Nathan Hartman wrote:
> The ASF committer keys list (https://people.apache.org/keys/committer/)
> is showing my key as "key not found." Not really sure what to do about
> that.
I checked again and my key is found now. :-)
> Also, some ASF help page (that I can't seem to locate now) said I need
> to add my key to a KEYS file. Not sure where that is.
Well this answers that question!
If there's anything else I need to do, please let me know.