You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Daniel Shahaf <d....@daniel.shahaf.name> on 2016/10/25 17:30:12 UTC
Sign advisories?
When we do a security release, we upload a *.txt advisory to
https://subversion.apache.org/security/ and link it from the
announcement. That advisory isn't currently signed. Could we sign
them?
That'd be useful, since they contain patches. They are already signed
in the "embargoed pre-notification" emails, IIRC; just not when they're
uploaded to the site.
Cheers,
Daniel
P.S. I couldn't find where the "Security release checklist" that the RM
follows for security releases is. Any pointers?
Re: Sign advisories?
Posted by Branko Čibej <br...@apache.org>.
On 25.10.2016 19:50, Daniel Shahaf wrote:
> Branko \u010cibej wrote on Tue, Oct 25, 2016 at 19:44:28 +0200:
>> If we do this, I'd argue for making the files ASCII-armored PGP, not
>> keeping signatures separate.
> Inline PGP has a problem with lines that start with a hyphen, which
> occur in patches.
>
> I think our options are:
>
> - Use detached signatures
You just convinced me ...
> - Indent the patches one space
> - Tell gpg(1) not to escape minuses on the first column
> - Okay if people use gpg(1)
> - Breaks compatibility with other PGP implementations
> - Do nothing
> - Okay if people use GNU patch
> - Not okay if people use 'svn patch' or a third-party patch(1) implementation
Re: Sign advisories?
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Branko \u010cibej wrote on Tue, Oct 25, 2016 at 19:44:28 +0200:
> If we do this, I'd argue for making the files ASCII-armored PGP, not
> keeping signatures separate.
Inline PGP has a problem with lines that start with a hyphen, which
occur in patches.
I think our options are:
- Use detached signatures
- Indent the patches one space
- Tell gpg(1) not to escape minuses on the first column
- Okay if people use gpg(1)
- Breaks compatibility with other PGP implementations
- Do nothing
- Okay if people use GNU patch
- Not okay if people use 'svn patch' or a third-party patch(1) implementation
Re: Sign advisories?
Posted by Branko Čibej <br...@apache.org>.
On 25.10.2016 19:30, Daniel Shahaf wrote:
> When we do a security release, we upload a *.txt advisory to
> https://subversion.apache.org/security/ and link it from the
> announcement. That advisory isn't currently signed. Could we sign
> them?
>
> That'd be useful, since they contain patches. They are already signed
> in the "embargoed pre-notification" emails, IIRC; just not when they're
> uploaded to the site.
Should be moderately easy to do by tweaking tools/dist/advisory.py.
If we do this, I'd argue for making the files ASCII-armored PGP, not
keeping signatures separate.
-- Brane