[Mesa-dev] [RFC] Mesa 9.2 and release process changes
Carl Worth
cworth at cworth.org
Wed Jul 3 17:38:25 PDT 2013
Dave Airlie <airlied at gmail.com> writes:
> There should be a reason for doing 2, btw just stating I'd like to do
> this doesn't give us any advantages over what we have now. Whats the
> point, stopping hackers? etc.
If md5sums are to be used to verify that the release tar files have not
been modified, then users need a way to ensure that the md5sums are
valid. If users are only obtaining the md5sums from web pages or mailman
archives hosted on the same server as the tar files, then an attacker
that substitutes an alternate tar file can also substitute alternate
md5sums in the archives of the release email.
> GPG signing tags is now being used sometimes in the kernel world,
> though really unless a developer has a gpg key that is trusted by
> other devs, and hence has met up with other devs to ensure that, gpg
> signing isn't gaining much.
Even without personally meeting the developer, one can, for example,
watch a sequence of releases where the release notes have all been
signed by the same developer. Then you can trust subsequent releases as
much as you trust previous releases.
For example, I'll be doing the stable releases going forward, and I'll
send out release-announcement email messages (containing MD5 sums) that
are signed with the same key I'm using to sign the current message.
Everyone on this list should have received some number of messages from
me in the past all signed with the same key, (that's why I have my email
client configured to sign all outgoing messages by default).
I have also met with several developers and co-signed each others
keys. And I'd be willing to do more of that in the future if that would
be helpful.
Let me know what else you'd like to see from the release manager.
-Carl
--
carl.d.worth at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20130703/f868ef85/attachment.pgp>
More information about the mesa-dev
mailing list