On Thu, Sep 30, 2021 at 03:57:49PM +0000, Eldon Stegall wrote: > Hello! > I'd be happy to help with this. I'm mostly a consumer of QEMU, but > greatly appreciate all the work this community has done, and was able > to contribute a little by helping with QEMU advent this past year. I > would be happy to help streamline some of this activities if that would > be welcome, and would gratefully contribute time and resources. Hosting > and serving data like this has been core to my recent experience. > > I would be happy to suggest and build out a distribution strategy for > these packages, and believe I could cut some costs, and even convince a > small consultancy I am a part of here that uses QEMU to foot a > reasonable bill. > > A brief introduction, since I haven't had the pleasure of attending > FOSDEM or any other QEMU meetups: I am a startup-oriented Cloud Security > Architect, based out of Atlanta, previously with companies like > DataStax, but now working on AWS video pipelines for a startup here.
Thanks for joining the discussion and for running last year's QEMU Advent Calendar, Eldon. Any ideas for moving download.qemu.org to a hosted service would be appreciated! We haven't compared CDN and cloud providers closely yet. If you have experience in this area or time to check them out, then that would be valuable. QEMU has funds if there is a cost for file hosting (probably less than $100/month). Some providers may be willing to support an open source project for free. Possible providers include CloudFlare, Akamai, Fastly, Microsoft Azure, Google Cloud Storage, etc. We need to keep the security of QEMU releases in mind. Mike Roth signs and publishes releases. Whoever facilitates or hosts the files should not be able to modify the files after Mike has blessed them. One way to do this is to keep hosting the .sig files on download.qemu.org and to redirect the actual tarballs to a file hosting provider. A way to securely publish files without hosting anything on qemu.org would be even better though (maybe it's enough to publish signatures on the static GitLab Pages website). Stefan
signature.asc
Description: PGP signature
