You are not logged in.

#1 2020-10-26 21:15:03

pix3l
Member
Registered: 2018-02-05
Posts: 1

libvrt rollback 6.8.0 to 6.5.0 (why?)

Why libvirt has been rolled back from 6.8.0 to 6.5.0?

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

Offline

#2 2020-10-26 21:42:11

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Offline

#3 2020-10-26 22:52:02

progandy
Member
Registered: 2012-05-17
Posts: 3,930

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

pix3l wrote:

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)

Last edited by progandy (2020-10-26 22:55:34)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2020-10-27 02:48:48

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

progandy wrote:
pix3l wrote:

6.8.0 is a stable release and nowhere I could find and explanation. Nor any other distro did it.

arch linux seems to be the only distro that insists on an unbroken chain of trust after trust has been established once. (another example is usbguard)

How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2020-10-27 05:58:39

progandy
Member
Registered: 2012-05-17
Posts: 3,930

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

eschwartz wrote:

[Edit: shortened]
How do you continue to trust it if it mysteriously changes in patterns indistinguishable from a successful theft of github credentials used for uploading malicious updates?

I have no idea, I just found it interesting that none of the other distributions seem to care. Maybe they think it doesn't matter since there are too many projects that do not use any signatures?

Last edited by progandy (2020-10-27 05:59:18)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2020-10-27 06:15:29

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

@progandy,  does this not fit the trust on first use model Arch follows?

Last edited by loqs (2020-10-27 06:15:53)

Offline

#7 2020-11-03 02:28:13

kode54
Member
Registered: 2013-10-21
Posts: 8

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.

Implicitly trusting the person who signed it when you adopted the package is the best course of action. Who knows if both GitLab and Redhat.com were hacked to make these last few major releases possible? I don't, and neither do you.

Offline

#8 2020-11-03 02:34:38

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,768

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

kode54 wrote:

Arch downgraded libvirt to keep you on your toes. Arch Linux is an obstacle course, not an operating system.

What.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2020-11-14 19:21:22

Bronek
Member
From: London
Registered: 2014-02-14
Posts: 110

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Libvirt published the GPG fingerprint which is consistent with the one used for releases since version 6.6 . It is at https://libvirt.org/downloads.html#keys ; what more needs to happen to convince the libvirt package maintainers that these versions are indeed correctly signed?

Offline

#10 2020-11-14 19:23:24

Bronek
Member
From: London
Registered: 2014-02-14
Posts: 110

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

... also, since the package maintainers are using the old keys which are no longer endorsed by the libvirt team, what certainty do the package maintainers have that the old keys have not been compromised?

Offline

#11 2020-11-19 21:55:40

loqs
Member
Registered: 2014-03-06
Posts: 12,093

Re: libvrt rollback 6.8.0 to 6.5.0 (why?)

Offline

Board footer

Powered by FluxBB