On Sat, Mar 30, 2024 at 02:31:54PM -0300, James Almer wrote: > On 3/30/2024 2:30 PM, Michael Niedermayer wrote: > > On Sat, Mar 30, 2024 at 11:51:17AM -0300, James Almer wrote: > > > On 3/30/2024 11:02 AM, Michael Niedermayer wrote: > > > > Iam not 100% sure this is the best place to put this. But we should > > > > somewhere > > > > describe what differences are expected > > > > > > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > > --- > > > > src/download | 34 ++++++++++++++++++++++++++++++++++ > > > > 1 file changed, 34 insertions(+) > > > > > > > > diff --git a/src/download b/src/download > > > > index 0e6fa7e..34733de 100644 > > > > --- a/src/download > > > > +++ b/src/download > > > > @@ -284,6 +284,40 @@ gpg: using RSA key > > > > FCF986EA15E6E293A5644F10B4322F04D67658D8 > > > > gpg: issuer "ffmpeg-devel@ffmpeg.org" > > > > gpg: Good signature from "FFmpeg release signing key > > > > <ffmpeg-devel@ffmpeg.org>" [full]</pre> > > > > </li> > > > > + <li> > > > > + Verify that the release tarball matches the git tag: (expected > > > > differences are missing .git, .gitignore and .gitattributes and an > > > > additional VERSION file) > > > > + <pre> > > > > + $ diff -ru ffmpeg-5.1.4 gitdir2 > > > > +Only in gitdir2/doc/doxy: .gitignore > > > > +Only in gitdir2/doc/examples: .gitignore > > > > +Only in gitdir2/doc: .gitignore > > > > +Only in gitdir2/ffbuild: .gitignore > > > > +Only in gitdir2: .git > > > > +Only in gitdir2: .gitattributes > > > > +Only in gitdir2: .gitignore > > > > +Only in gitdir2/libavcodec: .gitignore > > > > +Only in gitdir2/libavcodec/tests: .gitignore > > > > +Only in gitdir2/libavdevice: .gitignore > > > > +Only in gitdir2/libavdevice/tests: .gitignore > > > > +Only in gitdir2/libavfilter: .gitignore > > > > +Only in gitdir2/libavfilter/opencl: .gitignore > > > > +Only in gitdir2/libavfilter/tests: .gitignore > > > > +Only in gitdir2/libavformat: .gitignore > > > > +Only in gitdir2/libavformat/tests: .gitignore > > > > +Only in gitdir2/libavutil: .gitignore > > > > +Only in gitdir2/libavutil/tests: .gitignore > > > > +Only in gitdir2/libswresample/tests: .gitignore > > > > +Only in gitdir2/libswscale/tests: .gitignore > > > > +Only in gitdir2/tests/api: .gitignore > > > > +Only in gitdir2/tests/checkasm: .gitignore > > > > +Only in gitdir2/tests: .gitignore > > > > +Only in gitdir2/tools: .gitignore > > > > +Only in ffmpeg-5.1.4: VERSION > > > > + </pre> > > > > + </li> > > > > + <li> > > > > + Verify that the tag in git is signed > > > > > > The tags are signed with your key made for this purpose, > > > DD1EC9E8DE085C629B3E1846B18E8928B3948D64, and not with the tarball one > > > listed above. You should include it here the same way, unless the > > > signature > > > > yes but before doing that, do you think this is the best place to put all > > this? > > Sure, why would it not? It's the section where we explain how to verify > releases.
The verification ends with the tarball signature being verified. Checking the difference between 2 mirrors, or git vs. tarball is not verifying if the user obtained a unmodified copy of a release. It would check for a subset of variants of compromises on the FFmpeg side. I think we should publish somewhere how the difference between git and tarball should look. But iam not sure anything is achieved by asking everyone to download things twice and compare them. Maybe the security page is a better place ? thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some people wanted to paint the bikeshed green, some blue and some pink. People argued and fought, when they finally agreed, only rust was left.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
