brainwane
commented
7 years ago I just dropped into the WildFly HipChat to ask about this, and was pointed to some existing SHA-1 and MD5 checksums:
[3:34 PM] Sumana Harihareswara: Hi, WildFly developers, and thank you for the work that you do! I have a question about https://issues.jboss.org/browse/WFLY-2979 for @ctomc -- now that WildFly has CI set up, is it more possible to get cryptographic signatures to verify WildFly packages? [3:36 PM] Tomaz Cerar: that is not so much a CI issue as just a process of release thing [3:39 PM] Sumana Harihareswara: @ctomc Understood -- thanks. Is WFLY-2979 something that a new contributor could work on at all? I presume not since it's so tied into your release processes, but my bosses have mentioned they're interested in getting this addressed, so I figured it's worth asking [3:40 PM] Tomaz Cerar: well yes, we just need to update maven build to create that as part of the dist [3:40 PM] Tomaz Cerar: so when build is done with -Drelease this is also created [3:40 PM] Sumana Harihareswara: also, @JasonGreene thank you for your release announcement posts which have been helpful for me [3:41 PM] Tomaz Cerar: it only needed for "dist" module of wildfly project [3:42 PM] Sumana Harihareswara: @ctomc that, plus automating the bit of displaying the hash to the Downloads page next to the package name/link [3:42 PM] Sumana Harihareswara: or having it easily available & retrievable for the release manager to do manually, if that's acceptable [3:42 PM] Tomaz Cerar: yes that part is done manually, but that is simple as long as we have it [3:43 PM] Tomaz Cerar: adding checksum shouldn't be a big deal [3:43 PM] Tomaz Cerar: signature such as gpg i am not sure [3:43 PM] Sumana Harihareswara: ok, thanks, Tomaz, I'll let my colleagues know so we can decide whether/when to come help with that -- thanks! [3:43 PM] Tomaz Cerar: probably something like https://checksum-maven-plugin.nicoulaj.net/artifacts-mojo.html should work [3:44 PM] Tomaz Cerar: just configuring it in optional profile for release in dist module should do the trick [3:45 PM] Tomaz Cerar: @SumanaHarihareswaraGuest there are checksums in maven repo https://repository.jboss.org/nexus/content/groups/public/org/wildfly/wildfly-dist/11.0.0.CR1/ [3:45 PM] Tomaz Cerar: does this help in any way? [3:48 PM] Sumana Harihareswara: @ctomc Oooh, thanks for the pointer! SHA-1 and MD5 are helpful! [3:48 PM] Sumana Harihareswara: Tomaz, have those been there for several months? because if so, I feel foolish and unobservant :) [3:49 PM] Tomaz Cerar: they are part of every uploaded maven artifact [3:49 PM] Tomaz Cerar: always [3:49 PM] Tomaz Cerar: so maven knows if download is correct [3:50 PM] Sumana Harihareswara: I must not have looked in that directory. [3:50 PM] Tomaz Cerar: but we do need to add this also to website [3:51 PM] Sumana Harihareswara: Yeah, that would be good. Should that be its own new issue, since WFLY-2979 is more about cryptographic signature? [3:51 PM] Sumana Harihareswara: the downloads page doesn't link there -- you probably know? it goes to downloads.jboss.org, not repository.jboss.org
kfogel
In
INSTALL.mdwe advise people to download WildFly from the WildFly site and install it. It'd be better if we could also tell them to check for package integrity via a cryptographic signature. Thus: comment on the relevant issues.jboss.org bug to ask for cryptographic signatures to assure WildFly package integrity. It's an older bug, but WildFly's new progress on CI implies that they might be more able to work on the release management issue now than when it was filed.