New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
signing releases #94
Comments
Awesome. The pypi tarballs do include (detached |
no. i just need to fix my watch file and import your key. :) i do not have a direct trust path to your key, unfortunately. for now I will just trust that this is the correct key fingerprint? by the way, the tarball from pypi differs from the one here on github, is that normal? note that I often prefer the github tarballs as they are built reproducibly, with git: given a tag, git creates the exact same tarball every time... |
I think that is normal, unfortunately. I make the tarball by running I suppose I could change the release workflow to be more like:
It'd add a few steps, but then github's tarballs would be the same as pypi (assuming github really does normalize the timestamps reproducibly). I'll think about it. |
What I do is use the Web interface of GitHub to upload the "original" tarball and I also have a public release checklist (https://github.com/meejah/txtorcon/blob/master/docs/release-checklist.rst) and would be happy to learn of any deficiencies :) |
i prefer to have a single tarball source, which is easily reproducible. if |
I wonder if there's any way to turn off the github "magic tarball and zip" links.... |
I just finished poking around the API, and I couldn't find any way to turn them off. |
Some more notes:
The 0.8.1 tarball I just grabbed from github (https://github.com/warner/magic-wormhole/archive/0.8.1.tar.gz) is 138638 bytes long and has a SHA256 of 79f1725edaa7643d140ecaf6a54d7a635e488aee9da4d876abcb766de9d54117 . Can other folks confirm that they get the same thing? It'd be nice to know if their generation process is fully deterministic. I seem to remember that the gzip wrapper has its own timestamp somewhere, and |
On 2016-12-08 01:37:55, Brian Warner wrote:
Some more notes:
* github's tarballs set the timestamps of all files to the time of the
tag.. I like it
that is git-archive for you, iirc.
* github appears to use git-archive to make the tarball, so the Versioneer tags in `src/wormhole/_version.py` are correctly populated, so the resulting executable can figure out its own version just as well as a setup.py-produced sdist
correct.
* the pypi tarball includes the `.egg-info` directory and PKG-INFO, which are side-effects of the sdist-building process.. I'm not sure how important/relevant they are
i think those are just noise, but they are necessary for PyPI to
properly populate the release fields.
not sure how to deal with this.
* the pypi tarball omits a few files that weren't added to MANIFEST.in (`.appveyor.yml`, `.travis.yml`, some docs). I'm on the fence about adding them, or leaving them out.
* the pypi tarball's setup.cfg includes an `[egg_info]` section, which probably doesn't matter
true. but then it does make the tarball different... :/
The 0.8.1 tarball I just grabbed from github (https://github.com/warner/magic-wormhole/archive/0.8.1.tar.gz) is 138638 bytes long and has a SHA256 of 79f1725edaa7643d140ecaf6a54d7a635e488aee9da4d876abcb766de9d54117 . Can other folks confirm that they get the same thing? It'd be nice to know if their generation process is fully deterministic.
same here:
79f1725edaa7643d140ecaf6a54d7a635e488aee9da4d876abcb766de9d54117 magic-wormhole-0.8.1.tar.gz
I seem to remember that the gzip wrapper has its own timestamp somewhere, and `gzip -lv` shows me a recent date, but that appears to come from the mtime of the local copy, rather than being part of the contents. The gzip RFC says there's a four-byte MTIME field at offset 4-7, but those appear to be all zeros in the github tarball (the pypi tarball has `67 85 99 57` there).
In my experience, the tarballs from github are fully reproducible: you
can use git-archive locally to create the archive yourself and will end
up with the same result. you do need to use the gzip -n flag however,
which github also uses, otherwise it indeed embeds a timestamp.
a.
…--
The greatest tragedy in mankind's entire history may be the hijacking of
morality by religion.
- Arthur C. Clarke
|
Ok, I'm gonna make an executive decision, and declare that the PyPI tarballs are the official ones, and ignore the github-generated ones (at least for now.. I'm happy to revisit this later).
It's a bummer to not have the easy traceability step from git SHA1 to git-archive tarball (and instead having a one-to-many SHA1->tarball conversion function, with a single distinguished/signed application of this function being used to make the official tarballs). But PyPI needs metadata that isn't commited to git. So yeah, please update the watch file to point at PyPI, and verify the signatures that sit next to the tarballs there. For extra credit, we could automate something to compare the tarball's contents (but not timestamps or EGG-INFO or the missing extra files) against the github tarball, and compare the github tarball against a checkout of the github SHA1. Maybe some future changes to Python packaging will make this step better :). |
the problem this causes on the debian side is that we can't regenerate the tarball from the git repository anymore. i understand your motivations as an upstream, and they make sense to me, but an alternative could be to sign both tarballs, even though that means more work for you. obviously, the proper fix would be for python packaging to not require sdists and somehow have out of band metadata. FWIW, here is the error i get when trying to build the debian package now:
for now i have resorted to importing the tarball in a seperate branch of the git history, but it's a little clunky. i totally understand, however, your rationale and thank you very much for taking time to sign the release. this was, after all, the request here and the debian side of things shouldn't be of your concern. :) cheers! |
@anarcat have you looked at how the packaging for python-txtorcon works? My release process there definitely does not sign the github tarballs -- I essentially ignore them. "irl" is doing packaging now, originally "Lunar^" did it. |
i have not looked at that process in detail... for me, it is simpler to use PyPI as a binary distribution mechanism (with "wheel" files) and git as the source distribution. therefore, i don't use sdist at all. i just did a release of monkeysign using this release process. notice how i use |
I don't see any signatures at all on the latest release of monkeysign (on PyPI). |
that is correct: binary releases are not signed (and I don't think pip would check that anyways). git release tags are OpenPGP-signed, however, and so are Debian uploads, which include a source tarball. I should really include documentation on how to verify those signatures, however... But basically, this will verify the monkeysign source code reliably:
The |
the Debian packaging process can check for upstream signatures when packaging new tarballs..
i encourage you to use OpenPGP signatures to certify the source code you ship. it's the only bit missing to ensure a complete trust chain between you as developpers and Debian end-users.
while we do minimal reviews of changes when we package new upstream versions, some things may go unnoticed if a maintainer is in a rush. having OpenPGP signatures ensures that the packages were not attacked while in transit.
thanks!
The text was updated successfully, but these errors were encountered: