DSS-Extensions
dss_capi release asset checksum and/or signed release assets and keys #26
-
|
Is it possible to publish checksums for dss_capi release assests in release notes? Even stronger would be providing cryto signatures on the files and the public keys. Thoughts? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 2 replies
-
|
Checksum are a good idea in general and easy to add. Since the releases are mirrored on SourceForge, it's good to ensure they're fine and the mirrors didn't break anything. Signatures probably not right now. We can open an issue to track that. |
Beta Was this translation helpful? Give feedback.
-
|
Added for the binaries for version 0.13.2: https://github.com/dss-extensions/dss_capi/releases/tag/0.13.2 We should have a new release next Wednesday and I'll make sure to add the checksums in the initial announcement, and can do the same for the other projects in the next release batch. For source packages, the automated message already includes the commit hash and the source packages are generated by GitHub itself, but I still added them anyway. Users watching (at least the releases of) the DSS C-API repository with email notifications enabled will then receive a message with the data, and can use that to verify the downloads. Since our website is currently hosted on GitHub infra too, adding the sums there would not help in case of a malicious actor. Since I don't remember if we mentioned it recently: the files messages.zip/.tar.gz contains strings for command/property descriptions/helpstrings. Those are not required for most automated workloads since nobody will be checking the help messages on that scale. |
Beta Was this translation helpful? Give feedback.
-
|
For the release just now, the checksums were added to the initial message as planned. Seems to work fine this way. https://github.com/dss-extensions/dss_capi/releases/tag/0.13.3 Since there are bugfixes, I'll make an announcement here on discussions too after the other projects are updated. The official OpenDSS 9.6.1.2 was released last Tuesday so we couldn't validate it on Wednesday, hence the releases now. |
Beta Was this translation helpful? Give feedback.
-
|
Looks great. We'll test them out. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Thinking now that providing sha files would make it possible to automate. Similar to https://superuser.com/a/1468626/222969 |
Beta Was this translation helpful? Give feedback.
-
|
There are two .txt files there already that could be used for that. The files don't go attached in the email notification though, that's why I also added the sums to the text. |
Beta Was this translation helpful? Give feedback.
-
|
Great! Thanks for showing me how. |
Beta Was this translation helpful? Give feedback.
For the release just now, the checksums were added to the initial message as planned. Seems to work fine this way.
https://github.com/dss-extensions/dss_capi/releases/tag/0.13.3
Since there are bugfixes, I'll make an announcement here on discussions too after the other projects are updated. The official OpenDSS 9.6.1.2 was released last Tuesday so we couldn't validate it on Wednesday, hence the releases now.