Re: binutils snapshot builds

[Sam James <sam@gentoo.org>]

Mark Wielaard <mark@klomp.org> writes:

> Hi Sam,
>
> On Fri, May 24, 2024 at 12:37:00AM +0100, Sam James wrote:
>> > Do note that these snapshots are generated totally automatically, it
>> > could right after a bad/accidental commit. Nobody double checks any of
>> > the snapshots (except that they could be generated). So please don't
>> > trust them even if some checksum (which would also be generated
>> > automatically) matches.
>> 
>> This is fine as I already check the diff before using it anywhere
>> non-automated.
>> 
>> But I would appreciate if you could consider signing them with an
>> automated key, at least for the GCC snapshots (which are stored
>> elsewhere), because we currently grab them from mirrors to avoid
>> overloading sourceware. But we have no way of verifying mirrors didn't
>> tamper...
>
> hmmmm, but that would mean keeping a private signing key somewhere
> that the automated process can use (but nobody else can access...)
>
> If we provide checksums, can you just fetch those from the primary
> server and check them against the file you fetched from a mirror?

Yeah, we can do this, I think - it'll be a bit icky as we don't have
machinery to easily check just checksums like this from diff. places
but I can try figure something out.

But to be clear, the threat model I have in mind here is purely "evil
mirror" rather than anything else.

>
> I think you should treat these snapshot as if someone could have
> tempered with them (maybe not deliberately, but they really are
> snapshots and not formal releases for a reason).

That's part of why I'm asking ;)

I do check the diffs to make sure they look reasonable but I'd like to
avoid having to roll my own every week. It'd deter me from doing testing
to the same extent I do now if I had to ship a bunch of tarballs myself.

>
> Cheers,
>
> Mark

thanks,
sam