On Mon, Mar 31, 2025 at 01:39:57PM +0200, Vitaly Zaitsev via devel wrote:
> On 31/03/2025 12:53, Zbigniew Jędrzejewski-Szmek wrote:
> > This is inspired by the discussion in "Reproducible Builds" mailing list,
> > in particular [1].
>
> But auto-generated Git archives are not reproducible.
The gi
On Mon, Mar 31, 2025 at 10:48:59AM -0500, Michael Catanzaro wrote:
> On Mon, Mar 31 2025 at 10:53:54 AM +00:00:00, Zbigniew Jędrzejewski-Szmek
> wrote:
> > This is only "SHOULD", because sometimes the git tarball is too large
> > or has other deficiencies. Another reason is that the "upstream
> >
On 2025/03/31 13:32, Leigh Scott wrote:
Using github/gitlab sources is non-starter IMO as they rarely include the
submodules.
In the case of submodules I have had good experience using `%forgemeta`.
From a package that I am working on, I can share the simple skeleton of
how it looks like
On Mon, Mar 31, 2025 at 02:35:07PM +, Tim Landscheidt wrote:
> Daniel P. Berrangé wrote:
>
> >> Let me also mention the case where we have to clean sources (proprietary
> >> material) before committing to the look-aside cache. We should document
> >> how to do so in spec.
>
> >> Ideally, one
On Mon, Mar 31, 2025 at 01:24:06PM +0200, Alexander Sosedkin wrote:
> On Mon, Mar 31, 2025 at 12:56 PM Zbigniew Jędrzejewski-Szmek
> Just one question: how would you make those git forges output stable archives?
> GitHub itself explicitly says they won't and you shouldn't do that [2].
Heh, I follo
V Mon, Mar 31, 2025 at 10:53:54AM +, Zbigniew Jędrzejewski-Szmek napsal(a):
> tl;dr: change the Packaging Guidelines to recommend the raw "git
> archive" or equivalent over the upstream tarball produced using
> "make dist".
>
> This is inspired by the discussion in "Reproducible Builds" mailin
I am very much in favor of continuing to improve reproducibility and
auditability in general. However, as a general response to this discussion, I’d
like to caution against writing new policies that implicitly rely on any of the
following falsehoods:
- All upstreams use some kind of forge, with
On Mon, Mar 31, 2025 at 9:31 PM Zbigniew Jędrzejewski-Szmek
wrote:
>
> On Mon, Mar 31, 2025 at 01:24:06PM +0200, Alexander Sosedkin wrote:
> > On Mon, Mar 31, 2025 at 12:56 PM Zbigniew Jędrzejewski-Szmek
> > Just one question: how would you make those git forges output stable
> > archives?
> > Gi
Some static security tooling that restricts the use of binary files
during the build, check, and install can help here as an alternative to
git archive to mitigate xz kind of attacks (e.g., no binary files use
during the build allowed, and can only be copied during the install as
long as they a
On Tue, Apr 1, 2025 at 12:23 PM Daniel P. Berrangé wrote:
>
> On Tue, Apr 01, 2025 at 10:49:59AM +0200, Alexander Sosedkin wrote:
> > On Mon, Mar 31, 2025 at 9:31 PM Zbigniew Jędrzejewski-Szmek
> > wrote:
> > >
> > > On Mon, Mar 31, 2025 at 01:24:06PM +0200, Alexander Sosedkin wrote:
> > > > On M
On Tue, Apr 01, 2025 at 10:49:59AM +0200, Alexander Sosedkin wrote:
> On Mon, Mar 31, 2025 at 9:31 PM Zbigniew Jędrzejewski-Szmek
> wrote:
> >
> > On Mon, Mar 31, 2025 at 01:24:06PM +0200, Alexander Sosedkin wrote:
> > > On Mon, Mar 31, 2025 at 12:56 PM Zbigniew Jędrzejewski-Szmek
> > > Just one q
On Mon, Mar 31, 2025 at 07:59:50PM +, Zbigniew Jędrzejewski-Szmek wrote:
> To expand on this one: it is true that the untrustworthy maintainer
> would have been able to add files to git too. But it is also true that
> people may much closer attention to the git commits than to the tarball.
In
Michael Catanzaro venit, vidit, dixit 2025-03-31 23:37:42:
> On Mon, Mar 31 2025 at 08:09:49 PM +00:00:00, Zbigniew
> Jędrzejewski-Szmek wrote:
> > OK, I guess I need to work on my English. You're the second person who
> > read the abovequoted part in the exact opposite way to what I
> > intende
On Mon, Mar 31 2025 at 08:09:49 PM +00:00:00, Zbigniew
Jędrzejewski-Szmek wrote:
OK, I guess I need to work on my English. You're the second person who
read the abovequoted part in the exact opposite way to what I
intended :(
Hm, well I misread. You didn't write the wrong thing.
But honestly
On Mon, Mar 31, 2025 at 01:39:57PM +0200, Vitaly Zaitsev via devel wrote:
> On 31/03/2025 12:53, Zbigniew Jędrzejewski-Szmek wrote:
> > This is inspired by the discussion in "Reproducible Builds" mailing list,
> > in particular [1].
>
> But auto-generated Git archives are not reproducible. GitHub
On Mon, Mar 31, 2025 at 01:14:42PM +0200, Michael J Gruber wrote:
> > This is only "SHOULD", because sometimes the git tarball is too large
> > or has other deficiencies. Another reason is that the "upstream
> > tarball" may be signed, and that'd be preferred to the unsigned "raw"
> > archive. But
On Mon, Mar 31, 2025 at 12:35:39PM +0100, Daniel P. Berrangé wrote:
> On Mon, Mar 31, 2025 at 01:14:42PM +0200, Michael J Gruber wrote:
>
> > Let me also mention the case where we have to clean sources (proprietary
> > material) before committing to the look-aside cache. We should document
> > how
On Mon, Mar 31 2025 at 10:53:54 AM +00:00:00, Zbigniew
Jędrzejewski-Szmek wrote:
This is only "SHOULD", because sometimes the git tarball is too large
or has other deficiencies. Another reason is that the "upstream
tarball" may be signed, and that'd be preferred to the unsigned "raw"
archive. B
On Mon, Mar 31, 2025 at 2:04 PM Daniel P. Berrangé wrote:
>
> On Mon, Mar 31, 2025 at 01:39:57PM +0200, Vitaly Zaitsev via devel wrote:
> > On 31/03/2025 12:53, Zbigniew Jędrzejewski-Szmek wrote:
> > > This is inspired by the discussion in "Reproducible Builds" mailing list,
> > > in particular [1
Daniel P. Berrangé wrote:
>> Let me also mention the case where we have to clean sources (proprietary
>> material) before committing to the look-aside cache. We should document
>> how to do so in spec.
>> Ideally, one could:
>> - get original sources
>> - check upstream's signature
>> - apply th
On 31/03/2025 13:44, Cristian Le via devel wrote:
In the case of submodules I have had good experience using `%forgemeta`.
You'll still have to manually track all those submodules commits.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
--
___
Zbigniew Jędrzejewski-Szmek venit, vidit, dixit 2025-03-31 12:53:54:
> tl;dr: change the Packaging Guidelines to recommend the raw "git
> archive" or equivalent over the upstream tarball produced using
> "make dist".
>
> This is inspired by the discussion in "Reproducible Builds" mailing list,
> i
Ralf Corsépius venit, vidit, dixit 2025-03-31 13:14:16:
>
>
> Am 31.03.25 um 12:53 PM schrieb Zbigniew Jędrzejewski-Szmek:
> > tl;dr: change the Packaging Guidelines to recommend the raw "git
> > archive" or equivalent over the upstream tarball produced using
> > "make dist".
> I could not disagr
On 31/03/2025 12:53, Zbigniew Jędrzejewski-Szmek wrote:
This is inspired by the discussion in "Reproducible Builds" mailing list,
in particular [1].
But auto-generated Git archives are not reproducible. GitHub uses a
dirty hack: on the first download, it caches the tarball on their
resource s
On 31/03/2025 13:32, Leigh Scott wrote:
Using github/gitlab sources is non-starter IMO as they rarely include the
submodules.
They never include submodules.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
--
___
devel mailing list -- devel@li
Using github/gitlab sources is non-starter IMO as they rarely include the
submodules.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fe
On Mon, Mar 31, 2025 at 01:14:42PM +0200, Michael J Gruber wrote:
> Let me also mention the case where we have to clean sources (proprietary
> material) before committing to the look-aside cache. We should document
> how to do so in spec.
>
> Ideally, one could:
> - get original sources
> - check
On Mon, Mar 31, 2025 at 12:56 PM Zbigniew Jędrzejewski-Szmek
wrote:
>
> tl;dr: change the Packaging Guidelines to recommend the raw "git
> archive" or equivalent over the upstream tarball produced using
> "make dist".
>
> This is inspired by the discussion in "Reproducible Builds" mailing list,
>
Am 31.03.25 um 12:53 PM schrieb Zbigniew Jędrzejewski-Szmek:
tl;dr: change the Packaging Guidelines to recommend the raw "git
archive" or equivalent over the upstream tarball produced using
"make dist".
I could not disagree more.
This is inspired by the discussion in "Reproducible Builds" ma
29 matches
Mail list logo
