New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Archive detached signature #129
Comments
I'd suggest using Github. I'm not keen on continuing to maintain the RADVD
website and I'd like to replace it with a message to get all future updates
from Github.
…On Wed, Nov 4, 2020 at 12:21 AM Vladimir Lomov ***@***.***> wrote:
Hello,
versions prior to 2.19 have detached signatures (.asc) but 2.19 doesn't
have one. Is it on purpose? Should I use github git repo as verified source
of radvd?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#129>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABRG6YJSBEOGYYPMMOQC4LSOEFHRANCNFSM4TJXUVHA>
.
|
Hello. Yes, I already use source from github (I'm using Archlinux and has updated PKGBUILD to build new radvd fetching source from github). May be it is worth to sign tags then? Right now I don't use such feature but think it would valuable thing to have. And small nitpick: the "Release" part of "main" page on github leads to "Release" page that doesn't list latest release, I see it only on "Tag" page. |
@reubenhwk I understand that you do not want to maintain the website, however would it be possible to gpg sign your git tags or upload detatched signatures to the git releases?
you can put that in a Makefile/script and use some variables. It would be super awesome if you can keep signing releases, this is a important part of supply chain security authenticating the legitimacy of a release from you, the author. |
I think it is needed to have a perfect 2.20 soon.
With a perfect announcement at the same time:
|
@reubenhwk: There is a big problem for Debian 11, the freeze is soon (2021-01-12). Can you solve it with a 2.20 now? The 2.19 is not here: https://tracker.debian.org/pkg/radvd It is linked to: Thanks in advance. |
@vp1981 @anthraxx @stappersg: @reubenhwk has generated signatures: |
Unfortunately these signatures have been made with a RSA key
The previous released have been signed with RSA key So as of right now, these signatures aren't helping at all. |
@anthraxx expressed it already very well earlier:
I think #135 is both problem and solution. |
@reubenhwk has generated signatures and it is the last 2.19 from him. @reubenhwk, can you look the problem of signatures before? The radvd repositories have been moved from:
Thanks in advance. |
Currently, there is always the original website, files and signatures are on it too: |
@vp1981 @anthraxx @foxxx0, @stappersg: @robbat2 has done new signatures: |
Thanks, but in order to keep the trust chain intact, we still need a gpg-signed statement from @reubenhwk (with Otherwise having the releases signed with a different "untrusted" (no offense) gpg key doesn't really mean anything. |
@foxxx0 Reuben's old key is no longer available. Reuben does have a new key, but there's no meaningful handover message possible since Reuben lost their old key. From my newer key 0xEE05E6F6A48F6136, you can see transitive signatures to my older key 0xEE05E6F6A48F6136, and then onto the main kernel WoT. I'll also point out that there was also no chain of trust between Reuben's older key 0x411FA8C112D91A31:
|
On Fri, Jan 22, 2021 at 10:49:40AM -0800, Robin H. Johnson wrote:
... chain of trust ...
Each chain has to start with a first link
|
A question for both @foxxx0 @stappersg: Once we've got most of this sorted out, including getting more willing developers into the GitHub organization, so they can provide meaningful reviews of code, I would like to move the |
Solved by @robbat2. |
One hour ago, @reubenhwk has done a comment here: #135 (comment). @stappersg: Can you now update radvd in Debian? @foxxx0: Can you now update radvd in Arch Linux? Thanks in advance. |
radvd-project/radvd-project.github.io@6e3e5f7 where to get the pubkey of which it was done with? |
@stappersg: It is here:
I have added links in index.html: |
The upstream project has been handed over from reubenhwk to robbat2. Unfortunately reubenhwk has lost his gpg key previously used for release signing and thus the "official" handover process is only documented here: radvd-project/radvd#129 radvd-project/radvd#138 From now on the releases will be signed by robbat2 with 7D0B3CEBE9B85B1F825BCECFEE05E6F6A48F6136. While this handover process has been rather unfortunate, especially with respect to reubenhwk losing his gpg key, we have investigated the code changes and some of robbat2/s previous contributions to the radvd project and seem as confident as can be that there was no malicous intent and are now considering 7D0B3CEBE9B85B1F825BCECFEE05E6F6A48F6136 as trustworthy for release signatures. git-svn-id: file:///srv/repos/svn-community/svn@884281 9fca08f4-af9d-4005-b8df-a31f2cc04f65
The upstream project has been handed over from reubenhwk to robbat2. Unfortunately reubenhwk has lost his gpg key previously used for release signing and thus the "official" handover process is only documented here: radvd-project/radvd#129 radvd-project/radvd#138 From now on the releases will be signed by robbat2 with 7D0B3CEBE9B85B1F825BCECFEE05E6F6A48F6136. While this handover process has been rather unfortunate, especially with respect to reubenhwk losing his gpg key, we have investigated the code changes and some of robbat2/s previous contributions to the radvd project and seem as confident as can be that there was no malicous intent and are now considering 7D0B3CEBE9B85B1F825BCECFEE05E6F6A48F6136 as trustworthy for release signatures. git-svn-id: file:///srv/repos/svn-community/svn@884281 9fca08f4-af9d-4005-b8df-a31f2cc04f65
Hello,
versions prior to 2.19 have detached signatures (.asc) but 2.19 doesn't have one. Is it on purpose? Should I use github git repo as verified source of radvd?
The text was updated successfully, but these errors were encountered: