[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Moving QEMU downloads to GitLab Releases?
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: Moving QEMU downloads to GitLab Releases? |
|
Date: |
Fri, 1 Oct 2021 09:52:20 +0100 |
|
User-agent: |
Mutt/2.0.7 (2021-05-04) |
On Fri, Oct 01, 2021 at 08:11:35AM +0100, Stefan Hajnoczi wrote:
> We need to keep the security of QEMU releases in mind. Mike Roth
> signs and publishes releases. Whoever facilitates or hosts the files
> should not be able to modify the files after Mike has blessed them. One
> way to do this is to keep hosting the .sig files on download.qemu.org
> and to redirect the actual tarballs to a file hosting provider. A way to
> securely publish files without hosting anything on qemu.org would be
> even better though (maybe it's enough to publish signatures on the
> static GitLab Pages website).
If someone modifies the download files, then when you verify the sig
it will be detected. It doesn't matter whether the sig is on the same
host or not, because if someone modifies the sig too, then it will
still fail validation. The important thing is that the user has got
the right public key to verify with.
IOW, hosting the .sig separately is not required. We need to ensure
that our public key, however, is published & discoverable in a
trustworthy place that is separate from the download server. We fail
at that today because www.qemu.org and download.qemu.org are the
same server.
So it will be beneficial if the download site is split off from
the public website, compared to our current setup.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|