Bruno Haible <br...@clisp.org> writes: > Simon Josefsson wrote: >> Why you may ask? > > Yes, the question immediately comes up: What problem do you propose to solve? > >> 1) If savannah is offline or compromised, having widely mirrored >> known-good offline copies of the entire gnulib repository is nice. >> >> 2) Output of 'git clone' is not serialized or use a stable format, so a >> 'tar cfz gnulib-20241210.tar.gz gnulib/' works poorly. >> >> 3) It would add PGP-style authentication and integrity checking of the >> repository. Currently we only offer HTTPS only against Savannah and the >> WebPKI is not as strong as trusting a PGP signature directly. > > These three arguments apply to all packages that are hosted on savannah, > from emacs to coreutils, and from libidn to gnutls. > > Do you plan to propose the same thing for essentially all GNU packages? > > Or is there a specific reason why you propose it for Gnulib?
All those other already ship source code on ftp.gnu.org that achieve the goal of having a stable archival copy of a project. Gnulib doesn't fit into that model, but not fitting into that model also means we are doing away with all the advantages of release tarballs, including the ability to have offline copies with a PGP signature on. This makes the Savannah gnulib git repository a more attractive target. People are relying on it to build projects, instead of using release tarballs. There are other git-only technologies to achieve some of these goals (PGP authentication) that we could consider -- for example https://archive.fosdem.org/2023/schedule/event/security_where_does_that_code_come_from/ -- but it doesn't solve 1) above. We could start to do proper versioned releases of gnulib. Is that better? We are already fairly close to this, with the v1.0 git tag and the stable branches. Maybe that is the closest we want go towards making proper releases though, and we don't actually want a ftp://ftp.gnu.org/gnu/gnulib/gnulib-1.1.tar.gz. My primary goal is to have something stronger than a HTTPS URL to Savannah as a trust anchor for how to retrieve gnulib. PGP signatures on a serialized file, like a tarball or git bundle, is stronger. Going towards release tarballs doesn't fully solve this: people aren't using a particular gnulib release, they use wildly different git commits of gnulib. I suspect we don't want to release them all as different gnulib releases. /Simon
signature.asc
Description: PGP signature
