From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97DA6C433F5 for ; Fri, 1 Oct 2021 08:53:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3093261A54 for ; Fri, 1 Oct 2021 08:53:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3093261A54 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:44278 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mWEIg-0002jL-7b for qemu-devel@archiver.kernel.org; Fri, 01 Oct 2021 04:53:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54090) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mWEHg-00022I-1y for qemu-devel@nongnu.org; Fri, 01 Oct 2021 04:52:48 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:55344) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mWEHe-0005el-2v for qemu-devel@nongnu.org; Fri, 01 Oct 2021 04:52:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1633078365; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=F6GwcA9+/d3D8lW91R6/rptEk4xE+IFKKXeQnFdUfDM=; b=DBPUX+Sux5BQ/KkE2aYeW6TUmTMGsKX9H48n3hMK1uJ67BBYukJSKRmrNH/h/Pcm0C0WeH eO6//iBADLOPdhOJmmF0RXFTf2jxXMOeLdl+OCt35AY9eAaTD4m4xaDa1n3+GQRzVhIbu8 kcuw4LRPB3oKM0cDmWxVmV42UDEnhzE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-139-pNyOIIq2NoCRP6gFGERiNw-1; Fri, 01 Oct 2021 04:52:35 -0400 X-MC-Unique: pNyOIIq2NoCRP6gFGERiNw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 91EDA1018720; Fri, 1 Oct 2021 08:52:34 +0000 (UTC) Received: from redhat.com (unknown [10.39.195.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A35A9608BA; Fri, 1 Oct 2021 08:52:22 +0000 (UTC) Date: Fri, 1 Oct 2021 09:52:20 +0100 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: Stefan Hajnoczi Subject: Re: Moving QEMU downloads to GitLab Releases? Message-ID: References: MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/2.0.7 (2021-05-04) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Received-SPF: pass client-ip=216.205.24.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= Cc: Thomas Huth , Stefan Hajnoczi , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= , qemu-devel , Eldon Stegall , michael.roth@amd.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On Fri, Oct 01, 2021 at 08:11:35AM +0100, Stefan Hajnoczi wrote: > We need to keep the security of QEMU releases in mind. Mike Roth > signs and publishes releases. Whoever facilitates or hosts the files > should not be able to modify the files after Mike has blessed them. One > way to do this is to keep hosting the .sig files on download.qemu.org > and to redirect the actual tarballs to a file hosting provider. A way to > securely publish files without hosting anything on qemu.org would be > even better though (maybe it's enough to publish signatures on the > static GitLab Pages website). If someone modifies the download files, then when you verify the sig it will be detected. It doesn't matter whether the sig is on the same host or not, because if someone modifies the sig too, then it will still fail validation. The important thing is that the user has got the right public key to verify with. IOW, hosting the .sig separately is not required. We need to ensure that our public key, however, is published & discoverable in a trustworthy place that is separate from the download server. We fail at that today because www.qemu.org and download.qemu.org are the same server. So it will be beneficial if the download site is split off from the public website, compared to our current setup. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|