[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Moving QEMU downloads to GitLab Releases?
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: Moving QEMU downloads to GitLab Releases? |
|
Date: |
Mon, 4 Oct 2021 09:53:27 +0100 |
On Fri, Oct 01, 2021 at 09:52:20AM +0100, Daniel P. Berrangé wrote:
> On Fri, Oct 01, 2021 at 08:11:35AM +0100, Stefan Hajnoczi wrote:
> > We need to keep the security of QEMU releases in mind. Mike Roth
> > signs and publishes releases. Whoever facilitates or hosts the files
> > should not be able to modify the files after Mike has blessed them. One
> > way to do this is to keep hosting the .sig files on download.qemu.org
> > and to redirect the actual tarballs to a file hosting provider. A way to
> > securely publish files without hosting anything on qemu.org would be
> > even better though (maybe it's enough to publish signatures on the
> > static GitLab Pages website).
>
> If someone modifies the download files, then when you verify the sig
> it will be detected. It doesn't matter whether the sig is on the same
> host or not, because if someone modifies the sig too, then it will
> still fail validation. The important thing is that the user has got
> the right public key to verify with.
>
> IOW, hosting the .sig separately is not required. We need to ensure
> that our public key, however, is published & discoverable in a
> trustworthy place that is separate from the download server. We fail
> at that today because www.qemu.org and download.qemu.org are the
> same server.
>
> So it will be beneficial if the download site is split off from
> the public website, compared to our current setup.
You're right. Thanks for pointing this out. I was thinking of the .sig
as a checksum but it's a signature :-).
Stefan
signature.asc
Description: PGP signature