Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 17:55, Stefan Weil wrote:
> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>> The source/quality of those binaries is completely opaque. We've no idea 
>>>> who
>>>> built them, nor what build options were used, nor what/where the 
>>>> corresponding
>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>> validate the binary isn't compromised since build, etc, etc.
>>>>
>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>
>>>> If we're going to link to binaries telling users to download them, we need
>>>> to be hosting them on qemu.org and have a clearly documented formal process
>>>> around building & distributing them.
>>>>
>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>> where we delegate to distro vendors to build & distribute binaries.
>>>
>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>> (in particular, they are distributed under http and there are no
>>> signatures).  However, the situation is better in that they are hosted
>>> on an identifiable person's website, and of course Windows doesn't have
>>> something akin to Homebrew and Macports so there is no alternative to
>>> volunteers building and hosting the binaries.
>>
>> It would be desirable & practical to address that for Win32, by building
>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>> via one of our formal Docker environments. Would need buy-in of our release
>> manager to accept the extra work for making releases though...
>>
>> Regards,
>> Daniel
> 
> That would be one possible way. A more automated way could use CI builds
> (for example on GitHub) to generate executables for Windows.
> 
> By the way: https://qemu.weilnetz.de provides https (maybe I should
> enforce it), it includes sha512, and I also sign the binaries with my
> key. You still have to trust me, Debian and Cygwin (which provides lots
> of libraries used for the build).

Cool!  I had noticed sha512, but it is not very useful without https
(except to verify bitflips).  Good news that you support https, we
should change the website to use https links instead.

Regarding signing, there is no GPG signature.  That's okay, but we
should document how to verify the installer signature from either Linux
or Windows.

Thanks,

Paolo