Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 2, 2018, at 10:07 AM, qemu-devel-request@nongnu.org wrote:
> 
> Message: 2
> Date: Mon, 2 Apr 2018 04:22:52 +0200
> From: Paolo Bonzini <pbonzini@redhat.com>
> To: Rainer M?ller <raimue@macports.org>, qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions
> 	for MacPorts
> Message-ID: <357029f4-71c0-a9f9-7bda-a5a44f609b27@redhat.com>
> Content-Type: text/plain; charset=utf-8
> 
> On 01/04/2018 18:22, Rainer M?ller wrote:
>> Signed-off-by: Rainer M?ller <raimue@macports.org>
>> ---
>> _download/macos.md | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>> 
>> diff --git a/_download/macos.md b/_download/macos.md
>> index dbb312c..06aa811 100644
>> --- a/_download/macos.md
>> +++ b/_download/macos.md
>> @@ -1,6 +1,10 @@
>> -QEMU can be installed from Homebrew:
>> +QEMU can be installed from <strong>Homebrew</strong>:
>> 
>> <pre>brew install qemu</pre>
>> 
>> +QEMU can be installed from <strong>MacPorts</strong>:
>> +
>> +<pre>sudo port install qemu</pre>
>> +
>> QEMU requires Mac OS X 10.5 or later, but it is recommended
>> to use Mac OS X 10.7 or later.
>> 
> 
> Thanks for the patch!  I'm travelling but I will apply it as soon as I can.
> 
> Paolo

I was wondering if a link to the Mac OS X host wiki page could be added to this page.
It does have prebuilt binaries ready for use.

https://wiki.qemu.org/Hosts/Mac

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 02/04/2018 16:13, Programmingkid wrote:
> 
>> On Apr 2, 2018, at 10:07 AM, qemu-devel-request@nongnu.org wrote:
>>
>> Message: 2
>> Date: Mon, 2 Apr 2018 04:22:52 +0200
>> From: Paolo Bonzini <pbonzini@redhat.com>
>> To: Rainer M?ller <raimue@macports.org>, qemu-devel@nongnu.org
>> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions
>> 	for MacPorts
>> Message-ID: <357029f4-71c0-a9f9-7bda-a5a44f609b27@redhat.com>
>> Content-Type: text/plain; charset=utf-8
>>
>> On 01/04/2018 18:22, Rainer M?ller wrote:
>>> Signed-off-by: Rainer M?ller <raimue@macports.org>
>>> ---
>>> _download/macos.md | 6 +++++-
>>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/_download/macos.md b/_download/macos.md
>>> index dbb312c..06aa811 100644
>>> --- a/_download/macos.md
>>> +++ b/_download/macos.md
>>> @@ -1,6 +1,10 @@
>>> -QEMU can be installed from Homebrew:
>>> +QEMU can be installed from <strong>Homebrew</strong>:
>>>
>>> <pre>brew install qemu</pre>
>>>
>>> +QEMU can be installed from <strong>MacPorts</strong>:
>>> +
>>> +<pre>sudo port install qemu</pre>
>>> +
>>> QEMU requires Mac OS X 10.5 or later, but it is recommended
>>> to use Mac OS X 10.7 or later.
>>>
>>
>> Thanks for the patch!  I'm travelling but I will apply it as soon as I can.
>>
>> Paolo
> 
> I was wondering if a link to the Mac OS X host wiki page could be added to this page.
> It does have prebuilt binaries ready for use.
> 
> https://wiki.qemu.org/Hosts/Mac

Actually I believe we should remove those links.  I don't think hosting
QEMU binaries on mediafire is a good idea.

Paolo

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 4, 2018, at 7:15 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> On 02/04/2018 16:13, Programmingkid wrote:
>> 
>>> On Apr 2, 2018, at 10:07 AM, qemu-devel-request@nongnu.org wrote:
>>> 
>>> Message: 2
>>> Date: Mon, 2 Apr 2018 04:22:52 +0200
>>> From: Paolo Bonzini <pbonzini@redhat.com>
>>> To: Rainer M?ller <raimue@macports.org>, qemu-devel@nongnu.org
>>> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions
>>> 	for MacPorts
>>> Message-ID: <357029f4-71c0-a9f9-7bda-a5a44f609b27@redhat.com>
>>> Content-Type: text/plain; charset=utf-8
>>> 
>>> On 01/04/2018 18:22, Rainer M?ller wrote:
>>>> Signed-off-by: Rainer M?ller <raimue@macports.org>
>>>> ---
>>>> _download/macos.md | 6 +++++-
>>>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>>> 
>>>> diff --git a/_download/macos.md b/_download/macos.md
>>>> index dbb312c..06aa811 100644
>>>> --- a/_download/macos.md
>>>> +++ b/_download/macos.md
>>>> @@ -1,6 +1,10 @@
>>>> -QEMU can be installed from Homebrew:
>>>> +QEMU can be installed from <strong>Homebrew</strong>:
>>>> 
>>>> <pre>brew install qemu</pre>
>>>> 
>>>> +QEMU can be installed from <strong>MacPorts</strong>:
>>>> +
>>>> +<pre>sudo port install qemu</pre>
>>>> +
>>>> QEMU requires Mac OS X 10.5 or later, but it is recommended
>>>> to use Mac OS X 10.7 or later.
>>>> 
>>> 
>>> Thanks for the patch!  I'm travelling but I will apply it as soon as I can.
>>> 
>>> Paolo
>> 
>> I was wondering if a link to the Mac OS X host wiki page could be added to this page.
>> It does have prebuilt binaries ready for use.
>> 
>> https://wiki.qemu.org/Hosts/Mac
> 
> Actually I believe we should remove those links.  I don't think hosting
> QEMU binaries on mediafire is a good idea.
> 
> Paolo

Why not?

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Daniel P. Berrangé]

On Wed, Apr 04, 2018 at 10:24:48AM -0400, Programmingkid wrote:
> 
> > On Apr 4, 2018, at 7:15 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> > 
> > On 02/04/2018 16:13, Programmingkid wrote:
> >> 
> >>> On Apr 2, 2018, at 10:07 AM, qemu-devel-request@nongnu.org wrote:
> >>> 
> >>> Message: 2
> >>> Date: Mon, 2 Apr 2018 04:22:52 +0200
> >>> From: Paolo Bonzini <pbonzini@redhat.com>
> >>> To: Rainer M?ller <raimue@macports.org>, qemu-devel@nongnu.org
> >>> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions
> >>> 	for MacPorts
> >>> Message-ID: <357029f4-71c0-a9f9-7bda-a5a44f609b27@redhat.com>
> >>> Content-Type: text/plain; charset=utf-8
> >>> 
> >>> On 01/04/2018 18:22, Rainer M?ller wrote:
> >>>> Signed-off-by: Rainer M?ller <raimue@macports.org>
> >>>> ---
> >>>> _download/macos.md | 6 +++++-
> >>>> 1 file changed, 5 insertions(+), 1 deletion(-)
> >>>> 
> >>>> diff --git a/_download/macos.md b/_download/macos.md
> >>>> index dbb312c..06aa811 100644
> >>>> --- a/_download/macos.md
> >>>> +++ b/_download/macos.md
> >>>> @@ -1,6 +1,10 @@
> >>>> -QEMU can be installed from Homebrew:
> >>>> +QEMU can be installed from <strong>Homebrew</strong>:
> >>>> 
> >>>> <pre>brew install qemu</pre>
> >>>> 
> >>>> +QEMU can be installed from <strong>MacPorts</strong>:
> >>>> +
> >>>> +<pre>sudo port install qemu</pre>
> >>>> +
> >>>> QEMU requires Mac OS X 10.5 or later, but it is recommended
> >>>> to use Mac OS X 10.7 or later.
> >>>> 
> >>> 
> >>> Thanks for the patch!  I'm travelling but I will apply it as soon as I can.
> >>> 
> >>> Paolo
> >> 
> >> I was wondering if a link to the Mac OS X host wiki page could be added to this page.
> >> It does have prebuilt binaries ready for use.
> >> 
> >> https://wiki.qemu.org/Hosts/Mac
> > 
> > Actually I believe we should remove those links.  I don't think hosting
> > QEMU binaries on mediafire is a good idea.
> > 
> > Paolo
> 
> Why not?

The source/quality of those binaries is completely opaque. We've no idea who
built them, nor what build options were used, nor what/where the corresponding
source is (required for GPL compliance), nor any checksum / signature to
validate the binary isn't compromised since build, etc, etc.

Pointing users to those binaries makes it appear QEMU project is blessing
them, and so any issues with them directly reflect on QEMU's reputation.

If we're going to link to binaries telling users to download them, we need
to be hosting them on qemu.org and have a clearly documented formal process
around building & distributing them.

Since both Homebrew & Macports are providing formal bulds though, it looks
simpler to just entirely delegate the problem to them, as we do for Linux
where we delegate to distro vendors to build & distribute binaries.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>> Actually I believe we should remove those links.  I don't think hosting
>>> QEMU binaries on mediafire is a good idea.
>>>
>>> Paolo
>> Why not?
> The source/quality of those binaries is completely opaque. We've no idea who
> built them, nor what build options were used, nor what/where the corresponding
> source is (required for GPL compliance), nor any checksum / signature to
> validate the binary isn't compromised since build, etc, etc.
> 
> Pointing users to those binaries makes it appear QEMU project is blessing
> them, and so any issues with them directly reflect on QEMU's reputation.
> 
> If we're going to link to binaries telling users to download them, we need
> to be hosting them on qemu.org and have a clearly documented formal process
> around building & distributing them.
> 
> Since both Homebrew & Macports are providing formal bulds though, it looks
> simpler to just entirely delegate the problem to them, as we do for Linux
> where we delegate to distro vendors to build & distribute binaries.

Note that, to some extent, the same issues do apply to Win32 binaries
(in particular, they are distributed under http and there are no
signatures).  However, the situation is better in that they are hosted
on an identifiable person's website, and of course Windows doesn't have
something akin to Homebrew and Macports so there is no alternative to
volunteers building and hosting the binaries.

Paolo

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Daniel P. Berrangé]

On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
> >>> Actually I believe we should remove those links.  I don't think hosting
> >>> QEMU binaries on mediafire is a good idea.
> >>>
> >>> Paolo
> >> Why not?
> > The source/quality of those binaries is completely opaque. We've no idea who
> > built them, nor what build options were used, nor what/where the corresponding
> > source is (required for GPL compliance), nor any checksum / signature to
> > validate the binary isn't compromised since build, etc, etc.
> > 
> > Pointing users to those binaries makes it appear QEMU project is blessing
> > them, and so any issues with them directly reflect on QEMU's reputation.
> > 
> > If we're going to link to binaries telling users to download them, we need
> > to be hosting them on qemu.org and have a clearly documented formal process
> > around building & distributing them.
> > 
> > Since both Homebrew & Macports are providing formal bulds though, it looks
> > simpler to just entirely delegate the problem to them, as we do for Linux
> > where we delegate to distro vendors to build & distribute binaries.
> 
> Note that, to some extent, the same issues do apply to Win32 binaries
> (in particular, they are distributed under http and there are no
> signatures).  However, the situation is better in that they are hosted
> on an identifiable person's website, and of course Windows doesn't have
> something akin to Homebrew and Macports so there is no alternative to
> volunteers building and hosting the binaries.

It would be desirable & practical to address that for Win32, by building
the Win32 binaries at time of cutting the release, using the Mingw toolchain
via one of our formal Docker environments. Would need buy-in of our release
manager to accept the extra work for making releases though...

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Stefan Weil]

[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]

Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>> The source/quality of those binaries is completely opaque. We've no idea who
>>> built them, nor what build options were used, nor what/where the corresponding
>>> source is (required for GPL compliance), nor any checksum / signature to
>>> validate the binary isn't compromised since build, etc, etc.
>>>
>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>
>>> If we're going to link to binaries telling users to download them, we need
>>> to be hosting them on qemu.org and have a clearly documented formal process
>>> around building & distributing them.
>>>
>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>> where we delegate to distro vendors to build & distribute binaries.
>>
>> Note that, to some extent, the same issues do apply to Win32 binaries
>> (in particular, they are distributed under http and there are no
>> signatures).  However, the situation is better in that they are hosted
>> on an identifiable person's website, and of course Windows doesn't have
>> something akin to Homebrew and Macports so there is no alternative to
>> volunteers building and hosting the binaries.
> 
> It would be desirable & practical to address that for Win32, by building
> the Win32 binaries at time of cutting the release, using the Mingw toolchain
> via one of our formal Docker environments. Would need buy-in of our release
> manager to accept the extra work for making releases though...
> 
> Regards,
> Daniel

That would be one possible way. A more automated way could use CI builds
(for example on GitHub) to generate executables for Windows.

By the way: https://qemu.weilnetz.de provides https (maybe I should
enforce it), it includes sha512, and I also sign the binaries with my
key. You still have to trust me, Debian and Cygwin (which provides lots
of libraries used for the build).

Regards,
Stefan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 4, 2018, at 11:55 AM, Stefan Weil <sw@weilnetz.de> wrote:
> 
> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>> The source/quality of those binaries is completely opaque. We've no idea who
>>>> built them, nor what build options were used, nor what/where the corresponding
>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>> validate the binary isn't compromised since build, etc, etc.
>>>> 
>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>> 
>>>> If we're going to link to binaries telling users to download them, we need
>>>> to be hosting them on qemu.org and have a clearly documented formal process
>>>> around building & distributing them.
>>>> 
>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>> where we delegate to distro vendors to build & distribute binaries.
>>> 
>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>> (in particular, they are distributed under http and there are no
>>> signatures).  However, the situation is better in that they are hosted
>>> on an identifiable person's website, and of course Windows doesn't have
>>> something akin to Homebrew and Macports so there is no alternative to
>>> volunteers building and hosting the binaries.
>> 
>> It would be desirable & practical to address that for Win32, by building
>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>> via one of our formal Docker environments. Would need buy-in of our release
>> manager to accept the extra work for making releases though...
>> 
>> Regards,
>> Daniel
> 
> That would be one possible way. A more automated way could use CI builds
> (for example on GitHub) to generate executables for Windows.
> 
> By the way: https://qemu.weilnetz.de provides https (maybe I should
> enforce it), it includes sha512, and I also sign the binaries with my
> key. You still have to trust me, Debian and Cygwin (which provides lots
> of libraries used for the build).
> 
> Regards,
> Stefan

I guess there is just too much distrust to provide a QEMU binary for download.

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 18:05, Programmingkid wrote:
> 
>> On Apr 4, 2018, at 11:55 AM, Stefan Weil <sw@weilnetz.de> wrote:
>>
>> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>>> The source/quality of those binaries is completely opaque. We've no idea who
>>>>> built them, nor what build options were used, nor what/where the corresponding
>>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>>> validate the binary isn't compromised since build, etc, etc.
>>>>>
>>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>>
>>>>> If we're going to link to binaries telling users to download them, we need
>>>>> to be hosting them on qemu.org and have a clearly documented formal process
>>>>> around building & distributing them.
>>>>>
>>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>>> where we delegate to distro vendors to build & distribute binaries.
>>>>
>>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>>> (in particular, they are distributed under http and there are no
>>>> signatures).  However, the situation is better in that they are hosted
>>>> on an identifiable person's website, and of course Windows doesn't have
>>>> something akin to Homebrew and Macports so there is no alternative to
>>>> volunteers building and hosting the binaries.
>>>
>>> It would be desirable & practical to address that for Win32, by building
>>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>>> via one of our formal Docker environments. Would need buy-in of our release
>>> manager to accept the extra work for making releases though...
>>>
>>> Regards,
>>> Daniel
>>
>> That would be one possible way. A more automated way could use CI builds
>> (for example on GitHub) to generate executables for Windows.
>>
>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>> enforce it), it includes sha512, and I also sign the binaries with my
>> key. You still have to trust me, Debian and Cygwin (which provides lots
>> of libraries used for the build).
>>
>> Regards,
>> Stefan
> 
> I guess there is just too much distrust to provide a QEMU binary for download.

It's not distrust, it's responsibility.

Paolo

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 17:55, Stefan Weil wrote:
> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>> The source/quality of those binaries is completely opaque. We've no idea who
>>>> built them, nor what build options were used, nor what/where the corresponding
>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>> validate the binary isn't compromised since build, etc, etc.
>>>>
>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>
>>>> If we're going to link to binaries telling users to download them, we need
>>>> to be hosting them on qemu.org and have a clearly documented formal process
>>>> around building & distributing them.
>>>>
>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>> where we delegate to distro vendors to build & distribute binaries.
>>>
>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>> (in particular, they are distributed under http and there are no
>>> signatures).  However, the situation is better in that they are hosted
>>> on an identifiable person's website, and of course Windows doesn't have
>>> something akin to Homebrew and Macports so there is no alternative to
>>> volunteers building and hosting the binaries.
>>
>> It would be desirable & practical to address that for Win32, by building
>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>> via one of our formal Docker environments. Would need buy-in of our release
>> manager to accept the extra work for making releases though...
>>
>> Regards,
>> Daniel
> 
> That would be one possible way. A more automated way could use CI builds
> (for example on GitHub) to generate executables for Windows.
> 
> By the way: https://qemu.weilnetz.de provides https (maybe I should
> enforce it), it includes sha512, and I also sign the binaries with my
> key. You still have to trust me, Debian and Cygwin (which provides lots
> of libraries used for the build).

Cool!  I had noticed sha512, but it is not very useful without https
(except to verify bitflips).  Good news that you support https, we
should change the website to use https links instead.

Regarding signing, there is no GPG signature.  That's okay, but we
should document how to verify the installer signature from either Linux
or Windows.

Thanks,

Paolo

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 4, 2018, at 12:08 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> On 04/04/2018 18:05, Programmingkid wrote:
>> 
>>> On Apr 4, 2018, at 11:55 AM, Stefan Weil <sw@weilnetz.de> wrote:
>>> 
>>> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>>>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>>>> The source/quality of those binaries is completely opaque. We've no idea who
>>>>>> built them, nor what build options were used, nor what/where the corresponding
>>>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>>>> validate the binary isn't compromised since build, etc, etc.
>>>>>> 
>>>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>>> 
>>>>>> If we're going to link to binaries telling users to download them, we need
>>>>>> to be hosting them on qemu.org and have a clearly documented formal process
>>>>>> around building & distributing them.
>>>>>> 
>>>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>>>> where we delegate to distro vendors to build & distribute binaries.
>>>>> 
>>>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>>>> (in particular, they are distributed under http and there are no
>>>>> signatures).  However, the situation is better in that they are hosted
>>>>> on an identifiable person's website, and of course Windows doesn't have
>>>>> something akin to Homebrew and Macports so there is no alternative to
>>>>> volunteers building and hosting the binaries.
>>>> 
>>>> It would be desirable & practical to address that for Win32, by building
>>>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>>>> via one of our formal Docker environments. Would need buy-in of our release
>>>> manager to accept the extra work for making releases though...
>>>> 
>>>> Regards,
>>>> Daniel
>>> 
>>> That would be one possible way. A more automated way could use CI builds
>>> (for example on GitHub) to generate executables for Windows.
>>> 
>>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>>> enforce it), it includes sha512, and I also sign the binaries with my
>>> key. You still have to trust me, Debian and Cygwin (which provides lots
>>> of libraries used for the build).
>>> 
>>> Regards,
>>> Stefan
>> 
>> I guess there is just too much distrust to provide a QEMU binary for download.
> 
> It's not distrust, it's responsibility.
> 
> Paolo

So from what I learned, in order to provide a binary of QEMU, these things must be done:
- Some kind of checksum be provided for the binary (md5, SHA512, ...)
- A zip file that has the exact code used to build the binary be provided
- The complete environment use to build the binary be documented
-- Operating system name and version
-- name and version of various tools used to build the binary (GCC, make, ...)
-- name and version of libraries that are linked to QEMU (libc, pixman, ...)
- The exact command-line options used to build the binary be provided
- The email address and identity of the person who made the binary be provided

If anything is missing please feel free to share. 

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 18:19, Programmingkid wrote:
>>> I guess there is just too much distrust to provide a QEMU binary for download.
>> It's not distrust, it's responsibility.
>>
>> Paolo
> So from what I learned, in order to provide a binary of QEMU, these things must be done:
> - Some kind of checksum be provided for the binary (md5, SHA512, ...)
> - A zip file that has the exact code used to build the binary be provided
> - The complete environment use to build the binary be documented
> -- Operating system name and version
> -- name and version of various tools used to build the binary (GCC, make, ...)
> -- name and version of libraries that are linked to QEMU (libc, pixman, ...)
> - The exact command-line options used to build the binary be provided
> - The email address and identity of the person who made the binary be provided
> 
> If anything is missing please feel free to share. 

In practice a GPG signature, with a signature well-connected to other
people in the QEMU community, would already be a very good start.  If
the exact code is not a release tarball, that would also be required.

The command line options used for the build can be documented in the wiki.

Paolo

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Stefan Weil]

Am 04.04.2018 um 18:11 schrieb Paolo Bonzini:
> On 04/04/2018 17:55, Stefan Weil wrote:
>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>> enforce it), it includes sha512, and I also sign the binaries with my
>> key. You still have to trust me, Debian and Cygwin (which provides lots
>> of libraries used for the build).
> 
> Cool!  I had noticed sha512, but it is not very useful without https
> (except to verify bitflips).  Good news that you support https, we
> should change the website to use https links instead.
> 
> Regarding signing, there is no GPG signature.  That's okay, but we
> should document how to verify the installer signature from either Linux
> or Windows.
> 
> Thanks,
> 
> Paolo


The executables (installer, installed exe files) are signed using
osslsigncode (https://packages.debian.org/sid/otherosfs/osslsigncode)
and my personal CACert key for code signing.

The signatures can be checked on Windows (e.g. during the installation
process or from Windows Explorer with file properties) or on Linux (see
example below). That's Windows standard. The only problem is that
Windows does not automatically accept CACert keys (and that I have no
better key for code signing).

Stefan


$ osslsigncode verify /var/www/html/w32/qemu-w32-setup-20180321.exe
Current PE checksum   : 04D7CD55
Calculated PE checksum: 04D7CD55

Message digest algorithm  : SHA1
Current message digest    : B2B13EB4765B4708D999BE3E4893915BBCAB0F8E
Calculated message digest : B2B13EB4765B4708D999BE3E4893915BBCAB0F8E

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /CN=Stefan Weil/emailAddress=sw@weilnetz.de
		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
		Serial : 0D6AA6

Number of certificates: 2
	Cert #0:
		Subject: /CN=Stefan Weil/emailAddress=sw@weilnetz.de
		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
		Serial : 0D6AA6
	------------------
	Cert #1:
		Subject: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
		Serial : 0

Succeeded

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 19:41, Stefan Weil wrote:
> Am 04.04.2018 um 18:11 schrieb Paolo Bonzini:
>> On 04/04/2018 17:55, Stefan Weil wrote:
>>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>>> enforce it), it includes sha512, and I also sign the binaries with my
>>> key. You still have to trust me, Debian and Cygwin (which provides lots
>>> of libraries used for the build).
>>
>> Cool!  I had noticed sha512, but it is not very useful without https
>> (except to verify bitflips).  Good news that you support https, we
>> should change the website to use https links instead.
>>
>> Regarding signing, there is no GPG signature.  That's okay, but we
>> should document how to verify the installer signature from either Linux
>> or Windows.
>>
>> Thanks,
>>
>> Paolo
> 
> 
> The executables (installer, installed exe files) are signed using
> osslsigncode (https://packages.debian.org/sid/otherosfs/osslsigncode)
> and my personal CACert key for code signing.
> 
> The signatures can be checked on Windows (e.g. during the installation
> process or from Windows Explorer with file properties) or on Linux (see
> example below). That's Windows standard. The only problem is that
> Windows does not automatically accept CACert keys (and that I have no
> better key for code signing).

Very good, thanks.  I'll add that information to the wiki.

Paolo

> Stefan
> 
> 
> $ osslsigncode verify /var/www/html/w32/qemu-w32-setup-20180321.exe
> Current PE checksum   : 04D7CD55
> Calculated PE checksum: 04D7CD55
> 
> Message digest algorithm  : SHA1
> Current message digest    : B2B13EB4765B4708D999BE3E4893915BBCAB0F8E
> Calculated message digest : B2B13EB4765B4708D999BE3E4893915BBCAB0F8E
> 
> Signature verification: ok
> 
> Number of signers: 1
> 	Signer #0:
> 		Subject: /CN=Stefan Weil/emailAddress=sw@weilnetz.de
> 		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
> Authority/emailAddress=support@cacert.org
> 		Serial : 0D6AA6
> 
> Number of certificates: 2
> 	Cert #0:
> 		Subject: /CN=Stefan Weil/emailAddress=sw@weilnetz.de
> 		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
> Authority/emailAddress=support@cacert.org
> 		Serial : 0D6AA6
> 	------------------
> 	Cert #1:
> 		Subject: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
> Authority/emailAddress=support@cacert.org
> 		Issuer : /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
> Authority/emailAddress=support@cacert.org
> 		Serial : 0
> 
> Succeeded
> 

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 01/04/2018 18:22, Rainer Müller wrote:
> Signed-off-by: Rainer Müller <raimue@macports.org>
> ---
>  _download/macos.md | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/_download/macos.md b/_download/macos.md
> index dbb312c..06aa811 100644
> --- a/_download/macos.md
> +++ b/_download/macos.md
> @@ -1,6 +1,10 @@
> -QEMU can be installed from Homebrew:
> +QEMU can be installed from <strong>Homebrew</strong>:
>  
>  <pre>brew install qemu</pre>
>  
> +QEMU can be installed from <strong>MacPorts</strong>:
> +
> +<pre>sudo port install qemu</pre>
> +
>  QEMU requires Mac OS X 10.5 or later, but it is recommended
>  to use Mac OS X 10.7 or later.
> 

Thanks for the patch!  I'm travelling but I will apply it as soon as I can.

Paolo

[Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Rainer Müller]

Signed-off-by: Rainer Müller <raimue@macports.org>
---
 _download/macos.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/_download/macos.md b/_download/macos.md
index dbb312c..06aa811 100644
--- a/_download/macos.md
+++ b/_download/macos.md
@@ -1,6 +1,10 @@
-QEMU can be installed from Homebrew:
+QEMU can be installed from <strong>Homebrew</strong>:
 
 <pre>brew install qemu</pre>
 
+QEMU can be installed from <strong>MacPorts</strong>:
+
+<pre>sudo port install qemu</pre>
+
 QEMU requires Mac OS X 10.5 or later, but it is recommended
 to use Mac OS X 10.7 or later.
-- 
2.16.3