search

UnitedRPMs / unitedrpms

UnitedRPMs Repository Configuration
https://unitedrpms.github.io/
36 stars 6 forks source link

Resource cannot be found #11

Closed Ricky-Tigg closed 4 years ago

Ricky-Tigg commented 4 years ago

Hello. URL source for download: pkgs.org. Resource cannot be found 

$ wget -c https://raw.githubusercontent.com/UnitedRPMs/unitedrpms/master/RPM/unitedrpms-33-1.noarch.rpm
--2020-10-28 14:12:47--  https://raw.githubusercontent.com/UnitedRPMs/unitedrpms/master/RPM/unitedrpms-33-1.noarch.rpm
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.84.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.84.133|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2020-10-28 14:12:47 ERROR 404: Not Found.
kuboosoft commented 4 years ago

@Ricky-Tigg Thanks for the report but in the official site you can see the steps for install UnitedRPMs. Imagine 17 releases missed. https://unitedrpms.github.io/#repository

Ricky-Tigg commented 4 years ago

After, having encountered the issue, which is according to your information on the pkgs.org.'s side, that was from the page you mentioned the link i had observed the instructions. It worked as intended.

There the order to observe is,

  1. Import UnitedRPMs GPG public keys;
  2. Install acquired rpm file for access to the UnitedRPMs repository.

On present Git Hub page the order to observe is inverted, which is then:

  1. Install acquired rpm file for access to the UnitedRPMs repository;
  2. Import UnitedRPMs GPG public keys.

GPG keys

According to IETF document, MD5 and SHA-1 signature hashes may not be suitable for use in present context whereas hashes from SHA3 or even SHA2 families would. In this case that would mean a SHA-256 hashed GPG key alone to be added to the local keyring. How fair might be that methodology in your opinion?

$  rpm -Kv https://github.com/UnitedRPMs/unitedrpms/releases/download/17/unitedrpms-$(rpm -E %fedora)-17.fc$(rpm -E %fedora).noarch.rpm | sed 1d | column
    Header SHA256 digest: OK        Payload SHA256 digest: OK
    Header SHA1 digest: OK      MD5 digest: OK
kuboosoft commented 4 years ago

@Ricky-Tigg "On present Git Hub page the order to observe is inverted, which is then:"

A pull request; with the changes is welcome... :smile:

"...How fair might be that methodology in your opinion?"

Compatibility vs best stronger hash protection. By default gpg uses SHA1 as hash (At some point we must all move forward.). I ask you a question, do you install an unsigned repository? I am not sure if you are insinued something here; but our rpm with the repository is signed and also includes the keys of anthenticity for each rpm in our repository, also our metadata is signed in the repository. I can't see other thirdparty repository signed the rpm with the repository... Nothing is safe; but we cannot put an unsigned rpm (even more if it includes our repository) and it could end up in the wrong hands.

You need read about how to sign rpms with GPG

https://access.redhat.com/articles/3359321 https://www.redhat.com/sysadmin/rpm-gpg-verify-packages