You are not logged in.
Why libvirt has been rolled back from 6.8.0 to 6.5.0?
6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.
Offline
Offline
6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.
arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)
Last edited by progandy (2020-10-26 22:55:34)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
pix3l wrote:6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.
arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)
How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
[Edit: shortened]
How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?
I have no idea, I just found it interesting that none of the other distributions seem to care. Maybe they think it doesn't matter since there are too many projects that do not use any signatures?
Last edited by progandy (2020-10-27 05:59:18)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
@progandy, does this not fit the trust on first use model Arch follows?
Last edited by loqs (2020-10-27 06:15:53)
Offline
Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.
Implicitly trusting the person who signed it when you adopted the package is the best course of action. Who knows if both GitLab and Redhat.com were hacked to make these last few major releases possible? I don't, and neither do you.
Offline
Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.
What.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Libvirt published the GPG fingerprint which is consistent with the one used for releases since version 6.6 . It is at https://libvirt.org/downloads.html#keys ; what more needs to happen to convince the libvirt package maintainers that these versions are indeed correctly signed?
Offline
... also, since the package maintainers are using the old keys which are no longer endorsed by the libvirt team, what certainty do the package maintainers have that the old keys have not been compromised?
Offline
@Bronek possibly related https://lists.archlinux.org/pipermail/a … 53374.html
Offline
So does anybody know if anything is being done about this? The current 6.5.0-3 version in Arch is broken, while the stable and non-broken version upstream is 6.9.0. I don't see any activity anywhere and I'm starting to worry
Offline
Downgrading to 6.5.0-1 seems to be the best way to get a non broken version of libvirt. Alternatively you could try compiling from source. Unfortunately there is only a git aur package and no stable aur package.
Last edited by AnArchUser123 (2020-12-13 10:05:45)
Offline
So does anybody know if anything is being done about this? The current 6.5.0-3 version in Arch is broken, while the stable and non-broken version upstream is 6.9.0. I don't see any activity anywhere and I'm starting to worry
https://bugs.archlinux.org/task/67921#comment194713
Edit:
Downgrading to 6.5.0-1 seems to be the best way to get a non broken version of libvirt. Alternatively you could try compiling from source. Unfortunately there is only a git aur package and no stable aur package.
You could use https://github.com/archlinux/svntogit-c … k/PKGBUILD and with pkgver=6.10.0 if you are not concerned with the chain of trust.
Last edited by loqs (2020-12-13 20:31:57)
Offline
For anyone not following https://bugs.archlinux.org/task/67921 , the chain is now established with a PGP-signed message from Daniel Veillard which is attached at the bottom of that thread, and package maintainer will upgrade the package to the more recent version - thank you @coderobe !
Offline