From dev-return-39487-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Wed Oct 2 17:29:15 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 850CF18064F for ; Wed, 2 Oct 2019 19:29:15 +0200 (CEST) Received: (qmail 94767 invoked by uid 500); 2 Oct 2019 17:29:14 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 94756 invoked by uid 99); 2 Oct 2019 17:29:14 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Oct 2019 17:29:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id E5510C07F0 for ; Wed, 2 Oct 2019 17:29:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_NONE=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=daniel.shahaf.name header.b=ol9t8jnJ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=o5n/GXfJ Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id JtXXDeR_DYct for ; Wed, 2 Oct 2019 17:29:12 +0000 (UTC) Received-SPF: Pass (helo) identity=helo; client-ip=66.111.4.25; helo=out1-smtp.messagingengine.com; envelope-from=d.s@daniel.shahaf.name; receiver= Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 549DE7DE2D for ; Wed, 2 Oct 2019 17:29:11 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 5C80022076; Wed, 2 Oct 2019 13:29:04 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 02 Oct 2019 13:29:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= daniel.shahaf.name; h=date:from:to:subject:message-id:references :mime-version:content-type:content-transfer-encoding :in-reply-to; s=fm1; bh=he8GN2dfAATh8ptz64V2aQldVbKb3K7lAaunByLE XWw=; b=ol9t8jnJHYLwsnGw0JAXKBmt2JKoinxHWvtcsVRv2zz7bjTUtiHXPq5W 8YH1ArsColIoZHVusET1Yv7jNWH9RUzPbladkMmW7TQDD++v8RGkoQ4xr8gBrNJH 8jYwDLv8ce+18zjR6atYpf7tnLJboReoVPWdbiJKhOKd1PjH4hROMsssj5WTsYwX 1yY6Zn1ZVypiIoCkgwmtywv9LmLqh4zmB1xKzhDsvSpR/CHDNK3q8CeDEKEWHdww vQTRbj5SNphdIkNs+UiRu8rXhvx+gayRK813AtzPuiCiPAWZGFPqBACcX6doTaYO uCtrnId0ngCxXhAe8jrrb+eGg+UFfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=he8GN2dfAATh8ptz64V2aQldVbKb3K7lAaunByLEX Ww=; b=o5n/GXfJUFKKRdWd4hg8wnekzXHofsGoU63gJmbd9i6vEcxlIw+jOwd4s sXgX+2UGSt+Gg6ALR6XFtfn+dyN/l6BNpuEUayxgVV5xT/3GVm9KTIU5jh8MEUkL NnZYyYtRi9LnVSbHIdYc4ETu9ZV0sZCJTnWEs9PMaKC0n8cUBUBHwpiOj48w76mU 1d7v8jg1Oq33rgncV1c2kdgEKoGPUwOn/UyHc4mzYneTp4Y9Cglz1Lda0mFLH3uZ 1xi3Ulbwy/1HWzl5H9w+vpEN032IGe9E4vyjaWvkb+gYPmakVQTpIB8bigDo93r9 PK7fBcrQ7ZmFjlDX4hoqHWuK0nxCQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrgeeigdduudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggugfgjfgesth ektddttderjeenucfhrhhomhepffgrnhhivghlucfuhhgrhhgrfhcuoegurdhssegurghn ihgvlhdrshhhrghhrghfrdhnrghmvgeqnecuffhomhgrihhnpehprhhofhhilhgvrdhtoh holhhspdhophgvrhgrthhiohhnrdhtohholhhspdgrphgrtghhvgdrohhrghenucfkphep jeelrddukedvrdduvdeirdehleenucfrrghrrghmpehmrghilhhfrhhomhepugdrshesug grnhhivghlrdhshhgrhhgrfhdrnhgrmhgvnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from tarpaulin.shahaf.local2 (bzq-79-182-126-59.red.bezeqint.net [79.182.126.59]) by mail.messagingengine.com (Postfix) with ESMTPA id 8F7E1D6005E for ; Wed, 2 Oct 2019 13:29:03 -0400 (EDT) Received: by tarpaulin.shahaf.local2 (Postfix, from userid 1005) id 46k35m237tz7n; Wed, 2 Oct 2019 17:29:00 +0000 (UTC) Date: Wed, 2 Oct 2019 17:29:00 +0000 From: Daniel Shahaf To: dev@subversion.apache.org Subject: Re: Link to KEYS file on our download page Message-ID: <20191002172900.q7spvrj7dkzmjsqw@tarpaulin.shahaf.local2> References: <5cd02c49-190b-4631-abce-e1e2140ca26f@www.fastmail.com> <08f4c0c4-9653-40a3-874e-05c1d0eb0c7a@www.fastmail.com> <7abe93c7-d66f-b144-264b-7a87a3bc1457@apache.org> <861d1ecb-55d0-47df-8035-beab18656239@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <861d1ecb-55d0-47df-8035-beab18656239@www.fastmail.com> User-Agent: NeoMutt/20170113 (1.7.2) Daniel Shahaf wrote on Mon, Sep 30, 2019 at 17:00:23 +0000: > Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00: > > Nothing happened there. > > > > I have now manually added a copy > > of https://people.apache.org/keys/group/subversion.asc > > to https://www.apache.org/dist/subversion/KEYS > > via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130) > > and updated our download page to point to it (r1867780). > > Thanks. > > However, I still wonder why we shouldn't have this command run automatically — > . > curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS > . > — and be done with it for good. It could be run from release.py, for example. I think the following should do it, though we may want to ask Infra to add a «*.KEYS» pattern to their rsyncd.conf exclude= line, to prevent the *.KEYS files from being mirrored. (That's already true for *.asc files.) [[[ release.py: Automatically add to dist/ a current KEYS file with each release. In particular, this means versioned KEYS files will be archived to archive.a.o/dist/, and will continue to contain keys after those have been removed from a committer's id.a.o profile. * tools/dist/release.py (download_file): Make checksum verification opt-outable. (roll_tarballs): Download the KEYS file to the target directory. Rely on TLS for authenticity and integrity of the downloaded file (as we already do for authenticity and integrity of the subsequent commit operation). * tools/dist/templates/download.ezt, * tools/dist/templates/rc-release-ann.ezt, * tools/dist/templates/stable-release-ann.ezt: Link to the per-release KEYS file. ]]] [[[ Index: tools/dist/release.py =================================================================== --- tools/dist/release.py (revision 1867888) +++ tools/dist/release.py (working copy) @@ -294,7 +294,14 @@ def run_script(verbose, script, hide_stderr=False) for l in script.split('\n'): run_command(l.split(), verbose, hide_stderr) -def download_file(url, target, checksum): +def download_file(url, target, checksum): + """Download the file at URL to the local path TARGET. + If CHECKSUM is a string, verify the checksum of the downloaded + file and raise RuntimeError if it does not match. If CHECKSUM + is None, do not verify the downloaded file. + """ + assert checksum is None or isinstance(checksum, str) + response = urllib2.urlopen(url) target_file = open(target, 'w+') target_file.write(response.read()) @@ -303,7 +310,7 @@ def run_script(verbose, script, hide_stderr=False) m.update(target_file.read()) target_file.close() checksum2 = m.hexdigest() - if checksum != checksum2: + if checksum is not None and checksum != checksum2: raise RuntimeError("Checksum mismatch for '%s': "\ "downloaded: '%s'; expected: '%s'" % \ (target, checksum, checksum2)) @@ -966,7 +973,12 @@ def roll_tarballs(args): shutil.copy(os.path.join(get_workdir(args.base_dir), 'subversion', 'include', 'svn_version.h'), os.path.join(get_target(args), - 'svn_version.h.dist-%s' % str(args.version))) + 'svn_version.h.dist-%s' + % (str(args.version),))) + download_file(KEYS, + os.path.join(get_target(args), + 'subversion-%s.KEYS' % (str(args.version),)), + None) # And we're done! Index: tools/dist/templates/download.ezt =================================================================== --- tools/dist/templates/download.ezt (revision 1867888) +++ tools/dist/templates/download.ezt (working copy) @@ -4,10 +4,12 @@ File Checksum (SHA512) Signatures + PGP Public Keys [for fileinfo] [fileinfo.filename] [SHA-512] - [PGP] + [PGP signatures] + [PGP keyring] [end] Index: tools/dist/templates/rc-release-ann.ezt =================================================================== --- tools/dist/templates/rc-release-ann.ezt (revision 1867888) +++ tools/dist/templates/rc-release-ann.ezt (working copy) @@ -23,6 +23,10 @@ PGP Signatures are available at: For this release, the following people have provided PGP signatures: [siginfo] +These public keys are available at: + + https://www.apache.org/dist/subversion/subversion-[version].KEYS + This is a pre-release for what will eventually become version [major-minor-patch] of the Apache Subversion open source version control system. It may contain known issues, a complete list of [major-minor-patch]-blocking issues can be found Index: tools/dist/templates/stable-release-ann.ezt =================================================================== --- tools/dist/templates/stable-release-ann.ezt (revision 1867888) +++ tools/dist/templates/stable-release-ann.ezt (working copy) @@ -34,6 +34,10 @@ PGP Signatures are available at: For this release, the following people have provided PGP signatures: [siginfo] +These public keys are available at: + + https://www.apache.org/dist/subversion/subversion-[version].KEYS + Release notes for the [major-minor].x release series may be found at: https://subversion.apache.org/docs/release-notes/[major-minor].html ]]] Cheers, Daniel