switching to systemd-stable

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

switching to systemd-stable

dave reisner
Hey all,

This should be pretty much a no-brainer, but wanted to be sure I wasn't
missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
which branches at each tag and cherry-picks backports. I'd like to
switch our systemd package to this repo to avoid some of the duplication
of work that Jan, Christian and myself have done in the past. The repo
sees a bunch more activity than what our own backporting strategy has
been, and I see that as a positive.

One potentially bikeshed-worthy question is versioning. Do we count
commits and modify the pkgver every time we build from the repo, e.g.
233.23-1 (meaning pkgrel=1 of a v233 build containing 23 backports), or
do we simply keep the base pkgver true to upstream and increment pkgrel
every time we release, e.g. 233-5 (meaning pkgrel=5 of some build of the
v233 stable branch).

Regards,
Dave

[1] https://github.com/systemd/systemd-stable
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Christian Hesse
Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:

> Hey all,
>
> This should be pretty much a no-brainer, but wanted to be sure I wasn't
> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
> which branches at each tag and cherry-picks backports. I'd like to
> switch our systemd package to this repo to avoid some of the duplication
> of work that Jan, Christian and myself have done in the past. The repo
> sees a bunch more activity than what our own backporting strategy has
> been, and I see that as a positive.
>
> One potentially bikeshed-worthy question is versioning. Do we count
> commits and modify the pkgver every time we build from the repo, e.g.
> 233.23-1 (meaning pkgrel=1 of a v233 build containing 23 backports), or
> do we simply keep the base pkgver true to upstream and increment pkgrel
> every time we release, e.g. 233-5 (meaning pkgrel=5 of some build of the
> v233 stable branch).
>
> [1] https://github.com/systemd/systemd-stable
I like the versioning to indicate what the package contains... So voting for
the inclusion of commit count. The only downside will be that people will
flag the package out-of-date for every new commit in the stable branch. :-p
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

arch dev mailing list
Le samedi 1 juillet 2017, 19:59:49 CEST Christian Hesse a écrit :

> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
> > One potentially bikeshed-worthy question is versioning. Do we count
> > commits and modify the pkgver every time we build from the repo, e.g.
> > 233.23-1 (meaning pkgrel=1 of a v233 build containing 23 backports), or
> > do we simply keep the base pkgver true to upstream and increment pkgrel
> > every time we release, e.g. 233-5 (meaning pkgrel=5 of some build of the
> > v233 stable branch).
> >
> > [1] https://github.com/systemd/systemd-stable
>
> I like the versioning to indicate what the package contains... So voting for
> the inclusion of commit count. The only downside will be that people will
> flag the package out-of-date for every new commit in the stable branch. :-p
I agree, commit count is the best choice.

--
Laurent Carlier
http://www.archlinux.org

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

arch dev mailing list
Le 01/07/2017 à 20:15, Laurent Carlier via arch-dev-public a écrit :

> Le samedi 1 juillet 2017, 19:59:49 CEST Christian Hesse a écrit :
>> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
>>> One potentially bikeshed-worthy question is versioning. Do we count
>>> commits and modify the pkgver every time we build from the repo, e.g.
>>> 233.23-1 (meaning pkgrel=1 of a v233 build containing 23 backports), or
>>> do we simply keep the base pkgver true to upstream and increment pkgrel
>>> every time we release, e.g. 233-5 (meaning pkgrel=5 of some build of the
>>> v233 stable branch).
>>>
>>> [1] https://github.com/systemd/systemd-stable
>> I like the versioning to indicate what the package contains... So voting for
>> the inclusion of commit count. The only downside will be that people will
>> flag the package out-of-date for every new commit in the stable branch. :-p
> I agree, commit count is the best choice.
Just in case more voices matter, I agree too. ;)

Bruno


signature.asc (531 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Christian Hesse
In reply to this post by dave reisner
Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
> Hey all,
>
> This should be pretty much a no-brainer, but wanted to be sure I wasn't
> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
> which branches at each tag and cherry-picks backports. I'd like to
> switch our systemd package to this repo to avoid some of the duplication
> of work that Jan, Christian and myself have done in the past. The repo
> sees a bunch more activity than what our own backporting strategy has
> been, and I see that as a positive.

Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
try! ;)

BTW, we had just one backported commit to be removed, so 74 new commits
landed in this package compared to 233-7. Let's hope this gives some benefit.
--
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

NicoHood-3
On 07/05/2017 12:10 AM, Christian Hesse wrote:

> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
>> Hey all,
>>
>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
>> which branches at each tag and cherry-picks backports. I'd like to
>> switch our systemd package to this repo to avoid some of the duplication
>> of work that Jan, Christian and myself have done in the past. The repo
>> sees a bunch more activity than what our own backporting strategy has
>> been, and I see that as a positive.
>
> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
> try! ;)
>
> BTW, we had just one backported commit to be removed, so 74 new commits
> landed in this package compared to 233-7. Let's hope this gives some benefit.
>
Systemd still does not use https sources. Regarding the recent
discussion about tricking git about wrong tags and other evil stuff it
is highly recommended to switch to https. Please do it in favor for all
ArchLinux users security.

Once more the reference:
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Bartłomiej Piotrowski-3
On 2017-07-06 02:11, NicoHood wrote:

> On 07/05/2017 12:10 AM, Christian Hesse wrote:
>> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
>>> Hey all,
>>>
>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
>>> which branches at each tag and cherry-picks backports. I'd like to
>>> switch our systemd package to this repo to avoid some of the duplication
>>> of work that Jan, Christian and myself have done in the past. The repo
>>> sees a bunch more activity than what our own backporting strategy has
>>> been, and I see that as a positive.
>>
>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
>> try! ;)
>>
>> BTW, we had just one backported commit to be removed, so 74 new commits
>> landed in this package compared to 233-7. Let's hope this gives some benefit.
>>
>
> Systemd still does not use https sources. Regarding the recent
> discussion about tricking git about wrong tags and other evil stuff it
> is highly recommended to switch to https. Please do it in favor for all
> ArchLinux users security.
>
> Once more the reference:
> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
>

Regarding the recent discussion:

https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html

I really hoped I don't have to put "NicoHood" on top to make you realize
it's addressed to you. Please do it in favor for all Arch Linux packagers.
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

NicoHood-3
On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:

> On 2017-07-06 02:11, NicoHood wrote:
>> On 07/05/2017 12:10 AM, Christian Hesse wrote:
>>> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
>>>> Hey all,
>>>>
>>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
>>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
>>>> which branches at each tag and cherry-picks backports. I'd like to
>>>> switch our systemd package to this repo to avoid some of the duplication
>>>> of work that Jan, Christian and myself have done in the past. The repo
>>>> sees a bunch more activity than what our own backporting strategy has
>>>> been, and I see that as a positive.
>>>
>>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
>>> try! ;)
>>>
>>> BTW, we had just one backported commit to be removed, so 74 new commits
>>> landed in this package compared to 233-7. Let's hope this gives some benefit.
>>>
>>
>> Systemd still does not use https sources. Regarding the recent
>> discussion about tricking git about wrong tags and other evil stuff it
>> is highly recommended to switch to https. Please do it in favor for all
>> ArchLinux users security.
>>
>> Once more the reference:
>> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
>>
>
> Regarding the recent discussion:
>
> https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
>
> I really hoped I don't have to put "NicoHood" on top to make you realize
> it's addressed to you. Please do it in favor for all Arch Linux packagers.
>
What are you blaming me for now? This is a package everyone must install
and you are telling me we have other serious problems? Sure we have, but
compared to the time it takes to add an "s" to "http" this is a simple
excuse. And this is not about checksums man, this is about https where
even gpg signatures by git can be tricked.

And yes, I am doing stuff in the background. I wrote a guide and a tool
that simplifies source code signing[1] and I am doing a detailed
security analysis on all ArchLinux packages. And once it is ready I will
request gpg signatures from every upstream source, especially packages
from [core].

So you can tell me discussing about this is bullshit, right. But just
not reacting to obvious security problems that can be solved within
seconds is just not a single time better. Please do it in favor for all
Arch Linux User's Security.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

NicoHood-3
On 07/06/2017 09:44 AM, NicoHood wrote:
> And yes, I am doing stuff in the background. I wrote a guide and a tool
> that simplifies source code signing[1] and I am doing a detailed
> security analysis on all ArchLinux packages. And once it is ready I will
> request gpg signatures from every upstream source, especially packages
> from [core].
>

Forgot the reference:
[1] https://github.com/NicoHood/gpgit


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Allan McRae
In reply to this post by NicoHood-3
On 06/07/17 17:44, NicoHood wrote:
> ArchLinux

At least spell the name of the distro correctly.  It is the simple
addition of one space character between "Arch" and "Linux".  But I see
it is easy for people to forget about silly one character issues.

A
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Bartłomiej Piotrowski-3
In reply to this post by NicoHood-3
On 2017-07-06 09:44, NicoHood wrote:

> On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:
>> On 2017-07-06 02:11, NicoHood wrote:
>>> On 07/05/2017 12:10 AM, Christian Hesse wrote:
>>>> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
>>>>> Hey all,
>>>>>
>>>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
>>>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
>>>>> which branches at each tag and cherry-picks backports. I'd like to
>>>>> switch our systemd package to this repo to avoid some of the duplication
>>>>> of work that Jan, Christian and myself have done in the past. The repo
>>>>> sees a bunch more activity than what our own backporting strategy has
>>>>> been, and I see that as a positive.
>>>>
>>>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
>>>> try! ;)
>>>>
>>>> BTW, we had just one backported commit to be removed, so 74 new commits
>>>> landed in this package compared to 233-7. Let's hope this gives some benefit.
>>>>
>>>
>>> Systemd still does not use https sources. Regarding the recent
>>> discussion about tricking git about wrong tags and other evil stuff it
>>> is highly recommended to switch to https. Please do it in favor for all
>>> ArchLinux users security.
>>>
>>> Once more the reference:
>>> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
>>>
>>
>> Regarding the recent discussion:
>>
>> https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
>>
>> I really hoped I don't have to put "NicoHood" on top to make you realize
>> it's addressed to you. Please do it in favor for all Arch Linux packagers.
>>
>
> What are you blaming me for now? This is a package everyone must install
> and you are telling me we have other serious problems? Sure we have, but
> compared to the time it takes to add an "s" to "http" this is a simple
> excuse. And this is not about checksums man, this is about https where
> even gpg signatures by git can be tricked.

Just as it is possible that a plane will fall into your house. The
existence of a way doesn't imply probability.

> And yes, I am doing stuff in the background. I wrote a guide and a tool
> that simplifies source code signing[1] and I am doing a detailed
> security analysis on all ArchLinux packages. And once it is ready I will
> request gpg signatures from every upstream source, especially packages
> from [core].

Great, you are pushing another personal project as something we should
glorify. Finish what you started first, instead of jumping between
multiple things, mostly accomplishing hostility towards you or anything
you propose. (Hint: nobody is taking you seriously anymore.)

> So you can tell me discussing about this is bullshit, right. But just
> not reacting to obvious security problems that can be solved within
> seconds is just not a single time better. Please do it in favor for all
> Arch Linux User's Security.
>

At this point I'm ready to just put you on moderation list. Trying to
make you less oblivious is a waste of time.

B
Reply | Threaded
Open this post in threaded view
|

Re: switching to systemd-stable

Jelle van der Waa-2
In reply to this post by NicoHood-3
Hi,

On 07/06/17 at 09:44am, NicoHood wrote:

> On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:
> > On 2017-07-06 02:11, NicoHood wrote:
> >> On 07/05/2017 12:10 AM, Christian Hesse wrote:
> >>> Dave Reisner <[hidden email]> on Sat, 2017/07/01 13:22:
> >>>> Hey all,
> >>>>
> >>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
> >>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
> >>>> which branches at each tag and cherry-picks backports. I'd like to
> >>>> switch our systemd package to this repo to avoid some of the duplication
> >>>> of work that Jan, Christian and myself have done in the past. The repo
> >>>> sees a bunch more activity than what our own backporting strategy has
> >>>> been, and I see that as a positive.
> >>>
> >>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
> >>> try! ;)
> >>>
> >>> BTW, we had just one backported commit to be removed, so 74 new commits
> >>> landed in this package compared to 233-7. Let's hope this gives some benefit.
> >>>
> >>
> >> Systemd still does not use https sources. Regarding the recent
> >> discussion about tricking git about wrong tags and other evil stuff it
> >> is highly recommended to switch to https. Please do it in favor for all
> >> ArchLinux users security.
> >>
> >> Once more the reference:
> >> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
> >>
> >
> > Regarding the recent discussion:
> >
> > https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
> >
> > I really hoped I don't have to put "NicoHood" on top to make you realize
> > it's addressed to you. Please do it in favor for all Arch Linux packagers.
> >
>
> What are you blaming me for now? This is a package everyone must install
> and you are telling me we have other serious problems? Sure we have, but
> compared to the time it takes to add an "s" to "http" this is a simple
> excuse. And this is not about checksums man, this is about https where
> even gpg signatures by git can be tricked.
I believe that a large group of Dev/Tu's do believe that security is a
serious issue and that we should put some effort into security. And I
can't thank everyone enough who has done a lot of work for example for
the Security Tracker. A few people have worked hard, without much
complaining and realy made a difference.

For the whole signing issue we have a todolist for GPG signatures and
never decided as far as I know on the sha256 or sha512 (or any poison)
sums. Yet there is one individual in our community who keeps harassing
(yes it's called harassment) Dev/Tu's to get GPG / HTTPS in PKGBUILD's.

I would appreciate it if the discussion regarding GPG sigs etc,
would be less dramatic. I'm kinda done with these requirements if I keep
getting bugged that it's missing md5sums, https while I have a GPG sig.
Calling out people, bugging them, isn't really the method to get things
done.

Note that this is my personal opinion, I surely do not speak for Arch as
a whole.

> And yes, I am doing stuff in the background. I wrote a guide and a tool
> that simplifies source code signing[1] and I am doing a detailed
> security analysis on all ArchLinux packages. And once it is ready I will
> request gpg signatures from every upstream source, especially packages
> from [core].

I appreciate the effort of contacting upstream about providing GPG
signatures, that's really great!

--
Jelle van der Waa

signature.asc (499 bytes) Download Attachment