[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Link to KEYS file on our download page

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Wed, 2 Oct 2019 17:29:00 +0000

Daniel Shahaf wrote on Mon, Sep 30, 2019 at 17:00:23 +0000:
> Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00:
> > Nothing happened there.
> >
> > I have now manually added a copy
> > of https://people.apache.org/keys/group/subversion.asc
> > to https://www.apache.org/dist/subversion/KEYS
> > via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> > and updated our download page to point to it (r1867780).
>
> Thanks.
>
> However, I still wonder why we shouldn't have this command run automatically —
> .
> curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS
> .
> — and be done with it for good. It could be run from release.py, for example.

I think the following should do it, though we may want to ask Infra to add
a «*.KEYS» pattern to their rsyncd.conf exclude= line, to prevent the *.KEYS
files from being mirrored. (That's already true for *.asc files.)

[[[
release.py: Automatically add to dist/ a current KEYS file with each release.

In particular, this means versioned KEYS files will be archived to
archive.a.o/dist/, and will continue to contain keys after those have
been removed from a committer's id.a.o profile.

* tools/dist/release.py
  (download_file): Make checksum verification opt-outable.
  (roll_tarballs): Download the KEYS file to the target directory.
    Rely on TLS for authenticity and integrity of the downloaded
    file (as we already do for authenticity and integrity of the subsequent
    commit operation).

* tools/dist/templates/download.ezt,
* tools/dist/templates/rc-release-ann.ezt,
* tools/dist/templates/stable-release-ann.ezt:
    Link to the per-release KEYS file.
]]]

[[[
Index: tools/dist/release.py
===================================================================
--- tools/dist/release.py (revision 1867888)
+++ tools/dist/release.py (working copy)
@@ -294,7 +294,14 @@ def run_script(verbose, script, hide_stderr=False)
     for l in script.split('\n'):
         run_command(l.split(), verbose, hide_stderr)
 
-def download_file(url, target, checksum):
+def download_file(url, target, checksum):
+ """Download the file at URL to the local path TARGET.
+ If CHECKSUM is a string, verify the checksum of the downloaded
+ file and raise RuntimeError if it does not match. If CHECKSUM
+ is None, do not verify the downloaded file.
+ """
+ assert checksum is None or isinstance(checksum, str)
+
     response = urllib2.urlopen(url)
     target_file = open(target, 'w+')
     target_file.write(response.read())
@@ -303,7 +310,7 @@ def run_script(verbose, script, hide_stderr=False)
     m.update(target_file.read())
     target_file.close()
     checksum2 = m.hexdigest()
- if checksum != checksum2:
+ if checksum is not None and checksum != checksum2:
         raise RuntimeError("Checksum mismatch for '%s': "\
                            "downloaded: '%s'; expected: '%s'" % \
                            (target, checksum, checksum2))
@@ -966,7 +973,12 @@ def roll_tarballs(args):
         shutil.copy(os.path.join(get_workdir(args.base_dir),
                                  'subversion', 'include', 'svn_version.h'),
                     os.path.join(get_target(args),
- 'svn_version.h.dist-%s' % str(args.version)))
+ 'svn_version.h.dist-%s'
+ % (str(args.version),)))
+ download_file(KEYS,
+ os.path.join(get_target(args),
+ 'subversion-%s.KEYS' % (str(args.version),)),
+ None)
 
     # And we're done!
 
Index: tools/dist/templates/download.ezt
===================================================================
--- tools/dist/templates/download.ezt (revision 1867888)
+++ tools/dist/templates/download.ezt (working copy)
@@ -4,10 +4,12 @@
   <th>File</th>
   <th>Checksum (SHA512)</th>
   <th>Signatures</th>
+ <th>PGP Public Keys</th>
 </tr>
 [for fileinfo]<tr>
   <td>[fileinfo.filename]</td>
   <td>[SHA-512]</td>
- <td>[PGP]</td>
+ <td>[PGP signatures]</td>
+ <td>[PGP keyring]</td>
 </tr>[end]
 </table>
Index: tools/dist/templates/rc-release-ann.ezt
===================================================================
--- tools/dist/templates/rc-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/rc-release-ann.ezt (working copy)
@@ -23,6 +23,10 @@ PGP Signatures are available at:
 For this release, the following people have provided PGP signatures:
 
 [siginfo]
+These public keys are available at:
+
+ https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
 This is a pre-release for what will eventually become version [major-minor-patch] of the
 Apache Subversion open source version control system. It may contain known
 issues, a complete list of [major-minor-patch]-blocking issues can be found
Index: tools/dist/templates/stable-release-ann.ezt
===================================================================
--- tools/dist/templates/stable-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/stable-release-ann.ezt (working copy)
@@ -34,6 +34,10 @@ PGP Signatures are available at:
 For this release, the following people have provided PGP signatures:
 
 [siginfo]
+These public keys are available at:
+
+ https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
 Release notes for the [major-minor].x release series may be found at:
 
     https://subversion.apache.org/docs/release-notes/[major-minor].html
]]]

Cheers,

Daniel
Received on 2019-10-02 19:29:15 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.