dracut
dracut copied to clipboard
dracutdevs
057 release without a signed tag and no signed assets
Hi,
I'm the packager for dracut on Arch Linux. Previous releases used to be on kernel.org, but 057 is not there. Also, it has no gpg signature on the assets, nor its tag is signed. Also, if there's a new maintainer, it would be nice to have a signature path between the previous maintainers and the new.
A signed assets will be provided when Harald has found the time to sign them and upload them.
Since you seem to be expecting signature ( with signed paths no less ) on a snapshot of a code repository but seem to be perfectly fine with the entire code base being more or less entirely unsigned hence I have to ask out of curiosity what (security?) value do you see in having a signed tag/release/asset(s) that is made out of an upstream repository that does not require signed commits and or DCO signoff's?
What kind of (security?) assurance are you seeking as a downstream maintainer since currently there are only 3 person that can tag a release, that literally can actually create that snapshot in time ( signed or not ) of the codebase and in the future there might be more or less ( as in a release bot, which then obviously would create that signature )
Well, this is all about attesting this software came from you guys. I don't think you need to sign commits (although it would be good too), also, if the tag itself is signed, I could use it instead of needing you guys to upload assets.
Change to rely on tags instead of signed uploaded assets since I will be deprecating it sooner rather then later and at that point we will only be signing tags and will stop (re)uploading signed assets ( github itself is what actually creates those assets as in we are not creating them and people that require the legacy tar ball can just fetch it via https://codeload.github.com/dracutdevs/dracut/tar.gz/refs/tags/$TAG as in https://codeload.github.com/dracutdevs/dracut/tar.gz/refs/tags/057 but it wont be signed, if people want it signed they will have to nag github to do something about it as in provide us a with a means to sign their asset releases ) Also expect a faster/steady ( monthly ) release cycle now that I'm doing releases, the next release will probably be in a weeks time ( around first of July )
So, I'm fine if you guys switch to signed tags, but keep in mind that there are some possible attacks on them, if I recall correctly. Also, as for the assets that github creates, you can replace those with assets you manually create (and sign) yourself with git archive. I do that for mkinitcpio, for example. As for release cycle, that's also fine, I'll try to keep up with monthly releases.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is still an issue. We have no signed assets and no path to confirming new maintainer.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
This is still an issue. We have no signed assets and no path to confirming new maintainer.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
This is still an issue. We have no signed assets and no path to confirming new maintainer.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
This is still an issue. We have no signed assets and no path to confirming new maintainer.
Why does this bot exist?
To close stalled issues. When issues are not stalled people will comment on them.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
@HanabishiRecca well I fucked up in the holiday stress so I had to make another ( signed ) release ( 059 ) Merry Christmas :santa:
I had to make another ( signed ) release ( 059 )
I don't see any difference from 058, but yeah, great anyway. 👍
I could well be missing the obvious, but please can you share where to get the public key used to sign the tag?
where to get the public key used to sign the tag?
https://api.github.com/users/johannbg/gpg_keys
key_id: 1A845D0F6E0FD07D
public_key: zjMEYq+OyBYJKwYBBAHaRw8BAQdAQHc7XddmVz8CYBASs5zGUq4FuNmbZw02NCfShQzCgYw=
@gene-git @HanabishiRecca Thanks for looking into it. It would be great to see this release to make it into Arch.
Is there a PR to update dracut for the Arch repo ?
Is there a PR to update dracut for the Arch repo ?
PR? Arch official repos do not have such functionality.
@grazzolini is a maintainer of dracut package.
@grazzolini
I do not know where else to put this information, so I am just going to put this note here (even though this is clearly not in scope for #1850), but it is instead would be scope for #1837
When you update the Arch dracut package version please also consider changing the url from https://dracut.wiki.kernel.org to "https://github.com/dracutdevs/dracut/wiki" in https://github.com/archlinux/svntogit-packages/blob/packages/dracut/trunk/PKGBUILD#L7
Thanks dracut devs for signing new tags. Here is an issue: the new signing key. In my memory, Arch adopts some kind of web of trust, and thus a new signing key for upstream sources needs a confirmation from the former key owner (e.g., a GPG cross signature from Harald).
As a reference, here is a working Arch Linux PKGBUILD for dracut 059. I can upload community packages to Arch, but not core and extra ones like dracut, so I just put my work here.
PKGBUILD
# Maintainer: Giancarlo Razzolini <[email protected]>
pkgname=dracut
pkgver=059
_tag=62121e4cd02c9eab9f01789e950dccc9539a9c20
pkgrel=1
pkgdesc="An event driven initramfs infrastructure"
arch=('x86_64')
url="https://github.com/dracutdevs/dracut/wiki"
license=('GPL')
depends=('bash' 'coreutils' 'cpio' 'filesystem' 'findutils' 'grep' 'gzip'
'kmod' 'pkgconf' 'procps-ng' 'sed' 'systemd' 'util-linux' 'xz')
makedepends=('asciidoc' 'bash-completion' 'git')
optdepends=('binutils: --uefi option support'
'elfutils: strip binaries to reduce initramfs size'
'multipath-tools: dmraid dracut module support'
'pigz: faster gzip compression'
'sbsigntools: uefi_secureboot_cert/key configuration option support')
provides=('initramfs')
backup=('etc/dracut.conf')
source=("git+https://github.com/dracutdevs/dracut.git?signed#tag=$_tag")
sha512sums=('SKIP')
validpgpkeys=(
'7F3D64824AC0B6B8009E50504BC0896FB5693595' # Harald Hoyer <[email protected]>
'F66745589DE755B02AD947D71F1139EBBED1ACA9' # Jóhann B. Guðmundsson <[email protected]>
)
pkgver() {
cd "$srcdir/${pkgname}"
git describe --tags
}
build() {
local prefix=/usr sysconfdir=/etc
cd "$srcdir/${pkgname}"
./configure \
--sysconfdir=${sysconfdir} \
--prefix=${prefix} \
--libdir=${prefix}/lib \
--systemdsystemunitdir=${prefix}/lib/systemd/system \
--bashcompletiondir=$(pkg-config --variable=completionsdir bash-completion)
make
}
package() {
cd "$srcdir/${pkgname}"
DESTDIR="$pkgdir" make install
}
Yes, we need cross signature. However, given this package is out of date for a long time, a message from @haraldh on this issue would be a starting point.
Hi @johannbg @haraldh,
can you please establish a trust path between 9BAD8B9BBD1CBDEDE3443292900F3C4971086004 (@haraldh) and F66745589DE755B02AD947D71F1139EBBED1ACA9 (@johannbg)?
This can be done by having the former create a signature for the User ID Jóhann B. Guðmundsson <[email protected]> on the latter certificate and uploading the result to relevant keyservers (e.g. https://keys.openpgp.org/ and/ or https://keyserver.ubuntu.com)?
Alternatively, other proof (e.g. a clear-signed text by @haraldh as a comment to this ticket) is also possible.
We are still on dracut 056 on Arch Linux as there has not been progress made on this ticket.
@dvzrv signed https://github.com/johannbg.gpg and uploaded to the keyservers
@dvzrv signed https://github.com/johannbg.gpg and uploaded to the keyservers
Awesome, thank you! :tada: