2:18 a.m.
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
available at the usual place:
ftp://libvirt.org/libvirt/
While we seems to have the new API in place it's also clear that there
is a bunch of patches still waiting, either related to the new APIs
or blocked by lack of review. Please try to prioritize filling up API
implementations, and bug fixes for the reviews but I think we need to be
open about incremental improvements when they are very specific and
allow them in !
I will try to release by Tuesday 2nd Sep, as I will be on the road
next week after that time. However the good point of that monthly cycle
is that if you get the ACKs needed even if that's not in 1.2.8 that will
be in for 1.2.9 next month, in time for KVM Forum :-)
Please give a try to the current version, I'm a limited capacity
to test it this time,
thanks !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
2:14 a.m.
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard
<veillard(a)redhat.com> wrote:
> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the
tarball, so technically there is already a signed source out there.
Signing a tarballl means putting out an additional file and keeping
it forever, I could do that but hum ....
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
2:25 a.m.
Am 28.08.2014 09:14, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard(a)redhat.com> wrote:
>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>
> Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the
tarball, so technically there is already a signed source out there.
Signing a tarballl means putting out an additional file and keeping
it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data
integrity has to unpack/verify the rpm?
Come on... :-)
Signing tarballs is nothing new nor rocket science.
In times where the NSA tries to f*ck everyone at least some basic
cryptographic arrangements should be applied.
I know other projects are sloppy regarding signed releases too, this does
not mean that libvirt should follow their bad example.
Thanks,
//richard
3:11 a.m.
On Thu, Aug 28, 2014 at 09:25:22AM +0200, Richard Weinberger wrote:
Am 28.08.2014 09:14, schrieb Daniel Veillard:
> On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
>> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard(a)redhat.com>
wrote:
>>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>>
>> Can you please sign the tarball too?
>
> Well, the source rpm is signed, you can check it and it contains the
> tarball, so technically there is already a signed source out there.
> Signing a tarballl means putting out an additional file and keeping
> it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data
integrity has to unpack/verify the rpm?
Assuming you already loaded my key with rpm --import from what I make
available on http://veillard.com/
one download, and 2 automated rpm commands
wget ftp://libvirt.org/libvirt/libvirt-x.y.x-1.*.src.rpm
even if you got DNS poisoning here, the following step would fail
that key wasn't
rpm -K libvirt-x.y.x-1.*.src.rpm
rpm -i libvirt-x.y.x-1.*.src.rpm
use the tar.gz in confidence
Signing tarballs is nothing new nor rocket science.
In times where the NSA tries to f*ck everyone at least some basic
cryptographic arrangements should be applied.
Give me a mechanism where one can do that checking as fast and in
a completely automated way and I implement it :-)
I know other projects are sloppy regarding signed releases too, this
does
not mean that libvirt should follow their bad example.
I have not been sloppy, I have signed all the sources rpms from day 0
I also sign the corresponing git commits. The main issue is having a
clear, simple and failure proof process of checking a chunk of data
produced by the release. rpm has provided that for 15+ years. All the
alternatives I know require some human checking either by comparing
long strings of data or else.
Come on... :-)
I would return that TBH, come on people didn't provide something
completely automatable and human error proof to do this outside of
rpm. I'm willing to be educated if it's there, and add this to my
own process.
I'm serious, I'm ready to add extra steps if I believe they are
automatable and human-error proof ! Show me the way :-)
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
5:03 a.m.
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard
<veillard(a)redhat.com> wrote:
> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball,
my key is on the mit server:
user: "Daniel Veillard (Red Hat work email) <veillard(a)redhat.com>"
1024-bit DSA key, ID DE95BC1F, created 2000-05-31
I also added asc for the latest 1.2.x releases along the tarballs,
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
4:13 a.m.
Am 29.08.2014 12:03, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard(a)redhat.com> wrote:
>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>
> Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball,
my key is on the mit server:
user: "Daniel Veillard (Red Hat work email) <veillard(a)redhat.com>"
1024-bit DSA key, ID DE95BC1F, created 2000-05-31
I also added asc for the latest 1.2.x releases along the tarballs,
Sorry for the late response.
Thanks a lot for doing so, I really appreciate that. :)
Thanks,
//richard
7:28 a.m.
On Fri, Aug 29, 2014 at 12:03:24PM +0200, Daniel Veillard wrote:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard(a)redhat.com> wrote:
> > So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>
> Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball,
my key is on the mit server:
user: "Daniel Veillard (Red Hat work email) <veillard(a)redhat.com>"
1024-bit DSA key, ID DE95BC1F, created 2000-05-31
I also added asc for the latest 1.2.x releases along the tarballs,
Awesome. Thanks for the signatures, that saves some extra steps here.
Cheers,
-- Guido
8:19 a.m.
New subject: [libvirt] Availability of release candidate 2 for libvirt-1.2.8
Also tagged, with signed tarball and rpms ;-) at the usual place:
ftp://libvirt.org/libvirt/
there were quite a lot of small changes since rc1, so please give it
some testing, also for portability to other systems/OSes.
If everything goes well I will push the final 1.2.8 on Tuesday morning
thanks!
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
3730
days inactive
3739
days old
8 comments
4 participants
participants (4)
-
Daniel Veillard -
Guido Günther -
Richard Weinberger -
Richard Weinberger