[libvirt] Entering freeze for libvirt-1.2.8

So I tagged 1.2.8-rc1 in git and made tarball and signed rpms available at the usual place: ftp://libvirt.org/libvirt/ While we seems to have the new API in place it's also clear that there is a bunch of patches still waiting, either related to the new APIs or blocked by lack of review. Please try to prioritize filling up API implementations, and bug fixes for the reviews but I think we need to be open about incremental improvements when they are very specific and allow them in ! I will try to release by Tuesday 2nd Sep, as I will be on the road next week after that time. However the good point of that monthly cycle is that if you get the ACKs needed even if that's not in 1.2.8 that will be in for 1.2.9 next month, in time for KVM Forum :-) Please give a try to the current version, I'm a limited capacity to test it this time, thanks ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the tarball, so technically there is already a signed source out there. Signing a tarballl means putting out an additional file and keeping it forever, I could do that but hum .... Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

Am 28.08.2014 09:14, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the tarball, so technically there is already a signed source out there. Signing a tarballl means putting out an additional file and keeping it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data integrity has to unpack/verify the rpm? Come on... :-) Signing tarballs is nothing new nor rocket science. In times where the NSA tries to f*ck everyone at least some basic cryptographic arrangements should be applied. I know other projects are sloppy regarding signed releases too, this does not mean that libvirt should follow their bad example. Thanks, //richard

On Thu, Aug 28, 2014 at 09:25:22AM +0200, Richard Weinberger wrote:
Am 28.08.2014 09:14, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the tarball, so technically there is already a signed source out there. Signing a tarballl means putting out an additional file and keeping it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data integrity has to unpack/verify the rpm?
Assuming you already loaded my key with rpm --import from what I make available on http://veillard.com/ one download, and 2 automated rpm commands wget ftp://libvirt.org/libvirt/libvirt-x.y.x-1.*.src.rpm even if you got DNS poisoning here, the following step would fail that key wasn't rpm -K libvirt-x.y.x-1.*.src.rpm rpm -i libvirt-x.y.x-1.*.src.rpm use the tar.gz in confidence
Signing tarballs is nothing new nor rocket science. In times where the NSA tries to f*ck everyone at least some basic cryptographic arrangements should be applied.
Give me a mechanism where one can do that checking as fast and in a completely automated way and I implement it :-)
I know other projects are sloppy regarding signed releases too, this does not mean that libvirt should follow their bad example.
I have not been sloppy, I have signed all the sources rpms from day 0 I also sign the corresponing git commits. The main issue is having a clear, simple and failure proof process of checking a chunk of data produced by the release. rpm has provided that for 15+ years. All the alternatives I know require some human checking either by comparing long strings of data or else.
Come on... :-)
I would return that TBH, come on people didn't provide something completely automatable and human error proof to do this outside of rpm. I'm willing to be educated if it's there, and add this to my own process. I'm serious, I'm ready to add extra steps if I believe they are automatable and human-error proof ! Show me the way :-) Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball, my key is on the mit server: user: "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" 1024-bit DSA key, ID DE95BC1F, created 2000-05-31 I also added asc for the latest 1.2.x releases along the tarballs, Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

Am 29.08.2014 12:03, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball, my key is on the mit server:
user: "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" 1024-bit DSA key, ID DE95BC1F, created 2000-05-31
I also added asc for the latest 1.2.x releases along the tarballs,
Sorry for the late response. Thanks a lot for doing so, I really appreciate that. :) Thanks, //richard

On Fri, Aug 29, 2014 at 12:03:24PM +0200, Daniel Veillard wrote:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Okay, I went the simplest route of creating an asc for the tarball, my key is on the mit server:
user: "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" 1024-bit DSA key, ID DE95BC1F, created 2000-05-31
I also added asc for the latest 1.2.x releases along the tarballs,
Awesome. Thanks for the signatures, that saves some extra steps here. Cheers, -- Guido

Also tagged, with signed tarball and rpms ;-) at the usual place: ftp://libvirt.org/libvirt/ there were quite a lot of small changes since rc1, so please give it some testing, also for portability to other systems/OSes. If everything goes well I will push the final 1.2.8 on Tuesday morning thanks! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/
participants (4)
-
Daniel Veillard
-
Guido Günther
-
Richard Weinberger
-
Richard Weinberger