Are the tarballs from ftp.freeradius.org mirrored anywhere using HTTP that isn't GitHub? The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different: $ shasum -a 256 freeradius-server-* 2bf914d471d4409fd72e708e308fa32ca8d01d698c518497a1d4b867d50132ae freeradius-server-3.0.21.tar.gz b2014372948a92f86cfe2cf43c58ef47921c03af05666eb9d6416bdc6eeaedc2 freeradius-server-release_3_0_21.tar.gz I'm migrating our RPM builds from $OLD_CI to $NEW_CI, but $NEW_CI doesn't support ftp for grabbing source. I'd like to avoid creating a special case just for a single build job (or manually verifying and uploading the tarball) if possible. Many Thanks, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice
On Jul 5, 2020, at 9:10 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
Are the tarballs from ftp.freeradius.org mirrored anywhere using HTTP that isn't GitHub?
Not right now.
The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
Yes. We create our own tarballs and sign those. When we tag a release, GitHub *also* creates it's own tarballs, which are different. GitHub doesn't seem to have a way to upload our own tarballs. And TBH, I won't sign random things created by a third party. We'll take a look at exposing the FTP site via HTTP. Alan DeKok.
On 6/07/2020, at 13:24, Alan DeKok <aland@deployingradius.com> wrote:
The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
Yes. We create our own tarballs and sign those. When we tag a release, GitHub *also* creates it's own tarballs, which are different.
GitHub doesn't seem to have a way to upload our own tarballs. And TBH, I won't sign random things created by a third party.
When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code. It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue. You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused. -- Nathan Ward
On Jul 5, 2020, at 9:37 PM, Nathan Ward <lists+freeradius@daork.net> wrote:
When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code. It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue.
You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused.
I'd rather just expose the FTP site over HTTP. Alan DeKok.
On 6 Jul 2020, at 02:24, Alan DeKok <aland@deployingradius.com> wrote:
We'll take a look at exposing the FTP site via HTTP.
That'd be perfect if you could. OT: Is anyone else getting backscatter from email.uscc.net when they send a message to the list? Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice
On Jul 6, 2020, at 8:41 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 6 Jul 2020, at 02:24, Alan DeKok <aland@deployingradius.com> wrote:
We'll take a look at exposing the FTP site via HTTP.
That'd be perfect if you could.
It should be up later today.
OT: Is anyone else getting backscatter from email.uscc.net when they send a message to the list?
Yes. I've unsubscribed some uscc.net email addresses. Alan DeKok.
On Jul 6, 2020, at 8:41 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 6 Jul 2020, at 02:24, Alan DeKok <aland@deployingradius.com> wrote:
We'll take a look at exposing the FTP site via HTTP.
That'd be perfect if you could.
Matthew Newton has updated the site: https://freeradius.org/ftp/pub/freeradius/ it even looks pretty. :) Alan DeKok.
On 07/07/2020 00:12, Alan DeKok wrote:
On Jul 6, 2020, at 8:41 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
That'd be perfect if you could.
Matthew Newton has updated the site:
https://freeradius.org/ftp/pub/freeradius/
it even looks pretty. :)
Can't have bog standard auto index listing here, that just won't do. Hope it's useful. -- Matthew
On 7 Jul 2020, at 00:24, Matthew Newton <mcn@freeradius.org> wrote:
Hope it's useful.
It is, thanks for pulling this together. CI happily pulled down the tarball, verified, and RPM'd it without me lifting a finger :) Adam Bishop Senior security architect (systems) gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice
participants (4)
-
Adam Bishop -
Alan DeKok -
Matthew Newton -
Nathan Ward