Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] keybase: use hand-generated tarball
@ 2020-07-08 16:27 sgn
  2020-07-08 18:06 ` Chocimier
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: sgn @ 2020-07-08 16:27 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 670 bytes --]

There is a new pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages keybase-signed-tarball
https://github.com/void-linux/void-packages/pull/23472

keybase: use hand-generated tarball
GitHub tarballs can be changed at anytime, which renders GitHub
auto-generated tarball invalid at sometime [1]

Use keybase manual generated tarball that is verified with their code
signing key [2]

[1] https://github.com/keybase/client/issues/10800
[2] https://keybase.io/docs/server_security/code_signing_key.asc

---

@Vaelatern 

A patch file from https://github.com/void-linux/void-packages/pull/23472.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-keybase-signed-tarball-23472.patch --]
[-- Type: text/x-diff, Size: 1565 bytes --]

From 091c0413b75c6362520f39d34a17efa9e80ad339 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Wed, 8 Jul 2020 23:14:48 +0700
Subject: [PATCH] keybase: use hand-generated tarball

GitHub tarballs can be changed at anytime, which renders GitHub
auto-generated tarball invalid at sometime [1]

Use keybase manual generated tarball that is verified with their code
signing key [2]

[1] https://github.com/keybase/client/issues/10800
[2] https://keybase.io/docs/server_security/code_signing_key.asc
---
 srcpkgs/keybase/template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index be4e07e5ede..48214c6dc1a 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -2,7 +2,7 @@
 pkgname=keybase
 version=5.5.1
 revision=1
-wrksrc="client-${version}"
+wrksrc="client-v${version}"
 build_style=go
 go_import_path="github.com/keybase/client"
 go_package="${go_import_path}/go/keybase
@@ -16,8 +16,8 @@ short_desc="Client for keybase.io"
 maintainer="Toyam Cox <Vaelatern@voidlinux.org>"
 license="BSD-3-Clause"
 homepage="https://keybase.io/"
-distfiles="https://github.com/keybase/client/archive/v${version}.tar.gz"
-checksum=a65dc4b62fc1299dd17da52ddd2484fa1dc1e7d2a4776c3a6e112ee020980b12
+distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
+checksum=a70abf39c68cef1effccf4b9b9b1ed2e9cad20ab4f6c4b66160b610eca1ec874
 
 post_install() {
 	vlicense LICENSE

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
@ 2020-07-08 18:06 ` Chocimier
  2020-07-09  0:12 ` sgn
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Chocimier @ 2020-07-08 18:06 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 211 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-655673066

Comment:
Is varying checksum only reason? Contents checksum can be used then.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
  2020-07-08 18:06 ` Chocimier
@ 2020-07-09  0:12 ` sgn
  2020-07-11 19:35 ` Chocimier
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: sgn @ 2020-07-09  0:12 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

New comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-655821350

Comment:
On 2020-07-08 11:06:38-0700, Piotr <notifications@github.com> wrote:
> Is varying checksum only reason? Contents checksum can be used then.

Yes, contents checksum can be used to verify all GitHub tarbals.
While we're switch to content checksum, we may as well switch to the
tarball signed by keybase. So, if anything shady in the tarball,
we can go straight (ehem) blame them instead GitHub.

Let's say about this theory:
- Some bad guys has control of the machine GitHub used to generate tarball,
  and decided to always put a specific file in some specific repo,
- Content checksums is the always the same but it's not the tarball we
  want.

In addition:

- Keybase is supposed to be a security software, so I think it's
  better to double check the checksum with the upstream developer
  before submit to Void

-- 
Danh


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
  2020-07-08 18:06 ` Chocimier
  2020-07-09  0:12 ` sgn
@ 2020-07-11 19:35 ` Chocimier
  2020-07-12  0:55 ` sgn
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Chocimier @ 2020-07-11 19:35 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 279 bytes --]

New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-657117544

Comment:
Ok, verifying checksum of file from gh against checksum of file from gh is a weak link. Do it need rebuild with upstream signed sources?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
                   ` (2 preceding siblings ...)
  2020-07-11 19:35 ` Chocimier
@ 2020-07-12  0:55 ` sgn
  2020-07-12  2:38 ` q66
  2020-07-13 18:23 ` [PR PATCH] [Merged]: " Vaelatern
  5 siblings, 0 replies; 7+ messages in thread
From: sgn @ 2020-07-12  0:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

New comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-657156200

Comment:
On 2020-07-11 12:35:38-0700, Piotr <notifications@github.com> wrote:
> Ok, verifying checksum of file from gh against checksum of file from
> gh is a weak link. Do it need rebuild with upstream signed sources?

Both tarballs has the same content, now.
I don't think we need to rebuild

-- 
Danh


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
                   ` (3 preceding siblings ...)
  2020-07-12  0:55 ` sgn
@ 2020-07-12  2:38 ` q66
  2020-07-13 18:23 ` [PR PATCH] [Merged]: " Vaelatern
  5 siblings, 0 replies; 7+ messages in thread
From: q66 @ 2020-07-12  2:38 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/pull/23472#issuecomment-657165208

Comment:
contents checksum sucks because it's considerably more intensive and complicated to compute, it should be last resort

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR PATCH] [Merged]: keybase: use hand-generated tarball
  2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
                   ` (4 preceding siblings ...)
  2020-07-12  2:38 ` q66
@ 2020-07-13 18:23 ` Vaelatern
  5 siblings, 0 replies; 7+ messages in thread
From: Vaelatern @ 2020-07-13 18:23 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 512 bytes --]

There's a merged pull request on the void-packages repository

keybase: use hand-generated tarball
https://github.com/void-linux/void-packages/pull/23472

Description:
GitHub tarballs can be changed at anytime, which renders GitHub
auto-generated tarball invalid at sometime [1]

Use keybase manual generated tarball that is verified with their code
signing key [2]

[1] https://github.com/keybase/client/issues/10800
[2] https://keybase.io/docs/server_security/code_signing_key.asc

---

@Vaelatern 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-07-13 18:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-08 16:27 [PR PATCH] keybase: use hand-generated tarball sgn
2020-07-08 18:06 ` Chocimier
2020-07-09  0:12 ` sgn
2020-07-11 19:35 ` Chocimier
2020-07-12  0:55 ` sgn
2020-07-12  2:38 ` q66
2020-07-13 18:23 ` [PR PATCH] [Merged]: " Vaelatern

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).