From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53241) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f3kul-0002eV-2P for qemu-devel@nongnu.org; Wed, 04 Apr 2018 12:05:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f3kuh-0002GX-0V for qemu-devel@nongnu.org; Wed, 04 Apr 2018 12:05:35 -0400 Received: from mail-it0-x22a.google.com ([2607:f8b0:4001:c0b::22a]:52157) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f3kug-0002GK-Qj for qemu-devel@nongnu.org; Wed, 04 Apr 2018 12:05:30 -0400 Received: by mail-it0-x22a.google.com with SMTP id b5-v6so18034079itj.1 for ; Wed, 04 Apr 2018 09:05:30 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Programmingkid In-Reply-To: Date: Wed, 4 Apr 2018 12:05:28 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <6C36CDC6-851D-41A3-BDA8-1D2712437117@gmail.com> References: <57D8CDA1-C9D1-4CD7-99A1-203B570BF4D3@gmail.com> <20180404143859.GI3186@redhat.com> <20180404145803.GJ3186@redhat.com> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Weil Cc: =?utf-8?B?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= , Paolo Bonzini , Rainer M?ller , QEMU Developers > On Apr 4, 2018, at 11:55 AM, Stefan Weil wrote: >=20 > Am 04.04.2018 um 16:58 schrieb Daniel P. Berrang=C3=A9: >> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote: >>> On 04/04/2018 16:38, Daniel P. Berrang=C3=A9 wrote: >>>> The source/quality of those binaries is completely opaque. We've no = idea who >>>> built them, nor what build options were used, nor what/where the = corresponding >>>> source is (required for GPL compliance), nor any checksum / = signature to >>>> validate the binary isn't compromised since build, etc, etc. >>>>=20 >>>> Pointing users to those binaries makes it appear QEMU project is = blessing >>>> them, and so any issues with them directly reflect on QEMU's = reputation. >>>>=20 >>>> If we're going to link to binaries telling users to download them, = we need >>>> to be hosting them on qemu.org and have a clearly documented formal = process >>>> around building & distributing them. >>>>=20 >>>> Since both Homebrew & Macports are providing formal bulds though, = it looks >>>> simpler to just entirely delegate the problem to them, as we do for = Linux >>>> where we delegate to distro vendors to build & distribute binaries. >>>=20 >>> Note that, to some extent, the same issues do apply to Win32 = binaries >>> (in particular, they are distributed under http and there are no >>> signatures). However, the situation is better in that they are = hosted >>> on an identifiable person's website, and of course Windows doesn't = have >>> something akin to Homebrew and Macports so there is no alternative = to >>> volunteers building and hosting the binaries. >>=20 >> It would be desirable & practical to address that for Win32, by = building >> the Win32 binaries at time of cutting the release, using the Mingw = toolchain >> via one of our formal Docker environments. Would need buy-in of our = release >> manager to accept the extra work for making releases though... >>=20 >> Regards, >> Daniel >=20 > That would be one possible way. A more automated way could use CI = builds > (for example on GitHub) to generate executables for Windows. >=20 > By the way: https://qemu.weilnetz.de provides https (maybe I should > enforce it), it includes sha512, and I also sign the binaries with my > key. You still have to trust me, Debian and Cygwin (which provides = lots > of libraries used for the build). >=20 > Regards, > Stefan I guess there is just too much distrust to provide a QEMU binary for = download.=