You are not logged in.

#1 2020-10-26 21:15:03

pix3l
Member
Registered: 2018-02-05
Posts: 1

libvrt rollback 6.8.0 to 6.5.0 (why?)

Why libvirt has been rolled back from 6.8.0 to 6.5.0?

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

Offline

#2 2020-10-26 21:42:11

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Offline

#3 2020-10-26 22:52:02

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

pix3l wrote:

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)

Last edited by progandy (2020-10-26 22:55:34)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2020-10-27 02:48:48

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

progandy wrote:
pix3l wrote:

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)

How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2020-10-27 05:58:39

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

eschwartz wrote:

[Edit: shortened]
How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?

I have no idea, I just found it interesting that none of the other distributions seem to care. Maybe they think it doesn't matter since there are too many projects that do not use any signatures?

Last edited by progandy (2020-10-27 05:59:18)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2020-10-27 06:15:29

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

@progandy,  does this not fit the trust on first use model Arch follows?

Last edited by loqs (2020-10-27 06:15:53)

Offline

#7 2020-11-03 02:28:13

kode54
Member
Registered: 2013-10-21
Posts: 20

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.

Implicitly trusting the person who signed it when you adopted the package is the best course of action. Who knows if both GitLab and Redhat.com were hacked to make these last few major releases possible? I don't, and neither do you.

Offline

#8 2020-11-03 02:34:38

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

kode54 wrote:

Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.

What.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2020-11-14 19:21:22

Bronek
Member
From: London
Registered: 2014-02-14
Posts: 119

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Libvirt published the GPG fingerprint which is consistent with the one used for releases since version 6.6 . It is at https://libvirt.org/downloads.html#keys ; what more needs to happen to convince the libvirt package maintainers that these versions are indeed correctly signed?

Offline

#10 2020-11-14 19:23:24

Bronek
Member
From: London
Registered: 2014-02-14
Posts: 119

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

... also, since the package maintainers are using the old keys which are no longer endorsed by the libvirt team, what certainty do the package maintainers have that the old keys have not been compromised?

Offline

#11 2020-11-19 21:55:40

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Offline

#12 2020-11-27 14:27:27

KazeNoKoe
Member
Registered: 2020-11-27
Posts: 1

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

So does anybody know if anything is being done about this? The current 6.5.0-3 version in Arch is broken, while the stable and non-broken version upstream is 6.9.0. I don't see any activity anywhere and I'm starting to worry

Offline

#13 2020-12-13 10:05:33

AnArchUser123
Member
Registered: 2020-11-07
Posts: 15

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Downgrading to 6.5.0-1 seems to be the best way to get a non broken version of libvirt. Alternatively you could try compiling from source. Unfortunately there is only a git aur package and no stable aur package.

Last edited by AnArchUser123 (2020-12-13 10:05:45)

Offline

#14 2020-12-13 20:23:33

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

KazeNoKoe wrote:

So does anybody know if anything is being done about this? The current 6.5.0-3 version in Arch is broken, while the stable and non-broken version upstream is 6.9.0. I don't see any activity anywhere and I'm starting to worry

https://bugs.archlinux.org/task/67921#comment194713
Edit:

AnArchUser123 wrote:

Downgrading to 6.5.0-1 seems to be the best way to get a non broken version of libvirt. Alternatively you could try compiling from source. Unfortunately there is only a git aur package and no stable aur package.

You could use https://github.com/archlinux/svntogit-c … k/PKGBUILD and with pkgver=6.10.0 if you are not concerned with the chain of trust.

Last edited by loqs (2020-12-13 20:31:57)

Offline

#15 2021-01-11 14:01:06

Bronek
Member
From: London
Registered: 2014-02-14
Posts: 119

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

For anyone not following https://bugs.archlinux.org/task/67921 , the chain is now established with a PGP-signed message from Daniel Veillard  which is attached at the bottom of that thread, and package maintainer will upgrade the package to the more recent version - thank you @coderobe !

Offline

Board footer

Powered by FluxBB