search

avahi / avahi

Avahi - Service Discovery for Linux using mDNS/DNS-SD -- compatible with Bonjour
http://www.avahi.org
GNU Lesser General Public License v2.1
1.2k stars 330 forks source link

Please digitally sign your release tarballs #449

Open jscott0 opened 1 year ago

jscott0 commented 1 year ago

Hi, So downstreams can verify the integrity of the source code, it would be nice if you would publish OpenPGP or S/MIME/CMS signatures at Avahi.org. Ideally such a key would be published in a secure DNS zone so folks could ascertain its integrity without resorting to TOFU or the Web of Trust. Thanks!

pemensik commented 1 year ago

Yes, that would be nice. We have now more pressing matter to consolidate the code and potentially move to organization driven repository. I think bugs in code have higher priority now.

evverx commented 1 year ago

I'm 99% sure this request came from Debian. @mbiebl I wonder if it would be OK if tags were signed by analogy with systemd? I believe distros where those things matter can handle that.

Other distros don't verify anything even when things comes with signatures and resort to TOFU by computing hashes or whatever anyway.

evverx commented 1 year ago

Regarding avahi.org I don't think anyone (apart from probably @lathiat ) has access to it so I'm not sure it makes sense to mirror tarballs there too in the future. That's probably something @lathiat should decide.

pemensik commented 1 year ago

We have exact same expectation on Fedora. If the source is signed, we want it validated during build. External .asc signatures helps to make is smooth and simple. I am not sure what is exact process for it. I think maintainer is able to upload own archives for a release, including this signature. But I have never done it myself.

evverx commented 1 year ago

I'll just leave https://github.com/systemd/systemd/issues/2926 here. I think Fedora gave up there and still pulls unsigned stuff generated by GitHub instead of verifying signed tags.

evverx commented 7 months ago

In light of https://www.openwall.com/lists/oss-security/2024/03/29/4 it seems at least Fedora is discussing switching from make dist tarballs: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#4VRKIAQAXGXU7C7A2ERO7SN3WTC5ML33.

If nobody actually needs those tarballs anymore I guess it should be fine to stop producing them and just use tags. Most distros can handle that.