Missing checksums for github.com/erlang/otp/releases

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing checksums for github.com/erlang/otp/releases

Gerhard Lazu
I think it would be great to have checksums publicly available when a new Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:

sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header "Content-Type: text/plain" https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256

Is this something that others are missing? If not, how do you answer "I know that this Erlang/OTP build is legit" in your production environments?

Thank you, Gerhard.

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Missing checksums for github.com/erlang/otp/releases

Gerhard Lazu
I've noticed that the bundle-otp script in github.com/erlang/otp is used when minor releases are produced, such as 21.2. I've also noticed that this script is responsible for creating the bundle.txt which contains the HEAD git sha at the time of bundling.

Lukas, I can see that you have released 21.2, as well as 21.1. Would you be willing to sign OTP releases and upload the signature when creating a release on GitHub? On team RabbitMQ, this is an automated process for all public artefacts, I would be happy to help. We can use TravisCI and adapt bundle-otp for all releases, not only minor ones, as well as add GPG signing. What do you think?

Thank you, Gerhard.

On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <[hidden email]> wrote:
I think it would be great to have checksums publicly available when a new Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:

sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header "Content-Type: text/plain" https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256

Is this something that others are missing? If not, how do you answer "I know that this Erlang/OTP build is legit" in your production environments?

Thank you, Gerhard.

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Missing checksums for github.com/erlang/otp/releases

Lukas Larsson-8


On Fri, Jan 11, 2019 at 3:30 PM Gerhard Lazu <[hidden email]> wrote:
I've noticed that the bundle-otp script in github.com/erlang/otp is used when minor releases are produced, such as 21.2. I've also noticed that this script is responsible for creating the bundle.txt which contains the HEAD git sha at the time of bundling.

Lukas, I can see that you have released 21.2, as well as 21.1. Would you be willing to sign OTP releases and upload the signature when creating a release on GitHub? On team RabbitMQ, this is an automated process for all public artefacts, I would be happy to help. We can use TravisCI and adapt bundle-otp for all releases, not only minor ones, as well as add GPG signing. What do you think?

The bundling script is already done by travis, it just happens to be my user that is used to authenticate with github when updating the artifacts. https://github.com/erlang/otp/blob/master/.travis.yml#L92-L111

The bundler was mainly something I did because Ericsson needed it, but if it can be extended to be usefull to the open source community as well that would be great :)

Keep in mind though that one of the things that bundle-otp does it associate a corba version with an Erlang/OTP version. This is only possible to automate for major and minor release, not for patches. So the otp-bundle.tar.gz should not be created for patches, but any GPG signing etc could be done for all tags.
 

Thank you, Gerhard.

On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <[hidden email]> wrote:
I think it would be great to have checksums publicly available when a new Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:

sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header "Content-Type: text/plain" https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256

Is this something that others are missing? If not, how do you answer "I know that this Erlang/OTP build is legit" in your production environments?

Thank you, Gerhard.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Missing checksums for github.com/erlang/otp/releases

Gerhard Lazu
Hi,
 
The bundler was mainly something I did because Ericsson needed it, but if it can be extended to be usefull to the open source community as well that would be great :)

Keep in mind though that one of the things that bundle-otp does it associate a corba version with an Erlang/OTP version. This is only possible to automate for major and minor release, not for patches. So the otp-bundle.tar.gz should not be created for patches, but any GPG signing etc could be done for all tags.

I will have a go at modifying the .travis.yml to build & GPG sign Erlang/OTP bundles when it detects a tag. I will leave bundle-otp unmodified since it seems to server a different purpose. I figured out how the resulting artefacts get published to github.com/erlang/otp/releases, thank you!

I couldn't find your GPG key on sks-keyservers.net. Do you have one Lukas?

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Missing checksums for github.com/erlang/otp/releases

Lukas Larsson-8


On Sat, Jan 12, 2019 at 8:28 PM Gerhard Lazu <[hidden email]> wrote:
Hi,
 
The bundler was mainly something I did because Ericsson needed it, but if it can be extended to be usefull to the open source community as well that would be great :)

Keep in mind though that one of the things that bundle-otp does it associate a corba version with an Erlang/OTP version. This is only possible to automate for major and minor release, not for patches. So the otp-bundle.tar.gz should not be created for patches, but any GPG signing etc could be done for all tags.

I will have a go at modifying the .travis.yml to build & GPG sign Erlang/OTP bundles when it detects a tag. I will leave bundle-otp unmodified since it seems to server a different purpose. I figured out how the resulting artefacts get published to github.com/erlang/otp/releases, thank you!

Great!
 

I couldn't find your GPG key on sks-keyservers.net. Do you have one Lukas?

Nope, I do not. I can get one though if you just point me to a guide on how to get one :) I've never done anything with GPG so this is all new to me.
 
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions