[FFmpeg-devel] [PATCH] web/download: Extend the verification procedure to check for difference between git and release tarball
Michael Niedermayer
michael at niedermayer.cc
Sat Mar 30 23:19:47 EET 2024
On Sat, Mar 30, 2024 at 02:31:54PM -0300, James Almer wrote:
> On 3/30/2024 2:30 PM, Michael Niedermayer wrote:
> > On Sat, Mar 30, 2024 at 11:51:17AM -0300, James Almer wrote:
> > > On 3/30/2024 11:02 AM, Michael Niedermayer wrote:
> > > > Iam not 100% sure this is the best place to put this. But we should somewhere
> > > > describe what differences are expected
> > > >
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > > src/download | 34 ++++++++++++++++++++++++++++++++++
> > > > 1 file changed, 34 insertions(+)
> > > >
> > > > diff --git a/src/download b/src/download
> > > > index 0e6fa7e..34733de 100644
> > > > --- a/src/download
> > > > +++ b/src/download
> > > > @@ -284,6 +284,40 @@ gpg: using RSA key FCF986EA15E6E293A5644F10B4322F04D67658D8
> > > > gpg: issuer "ffmpeg-devel at ffmpeg.org"
> > > > gpg: Good signature from "FFmpeg release signing key <ffmpeg-devel at ffmpeg.org>" [full]</pre>
> > > > </li>
> > > > + <li>
> > > > + Verify that the release tarball matches the git tag: (expected differences are missing .git, .gitignore and .gitattributes and an additional VERSION file)
> > > > + <pre>
> > > > + $ diff -ru ffmpeg-5.1.4 gitdir2
> > > > +Only in gitdir2/doc/doxy: .gitignore
> > > > +Only in gitdir2/doc/examples: .gitignore
> > > > +Only in gitdir2/doc: .gitignore
> > > > +Only in gitdir2/ffbuild: .gitignore
> > > > +Only in gitdir2: .git
> > > > +Only in gitdir2: .gitattributes
> > > > +Only in gitdir2: .gitignore
> > > > +Only in gitdir2/libavcodec: .gitignore
> > > > +Only in gitdir2/libavcodec/tests: .gitignore
> > > > +Only in gitdir2/libavdevice: .gitignore
> > > > +Only in gitdir2/libavdevice/tests: .gitignore
> > > > +Only in gitdir2/libavfilter: .gitignore
> > > > +Only in gitdir2/libavfilter/opencl: .gitignore
> > > > +Only in gitdir2/libavfilter/tests: .gitignore
> > > > +Only in gitdir2/libavformat: .gitignore
> > > > +Only in gitdir2/libavformat/tests: .gitignore
> > > > +Only in gitdir2/libavutil: .gitignore
> > > > +Only in gitdir2/libavutil/tests: .gitignore
> > > > +Only in gitdir2/libswresample/tests: .gitignore
> > > > +Only in gitdir2/libswscale/tests: .gitignore
> > > > +Only in gitdir2/tests/api: .gitignore
> > > > +Only in gitdir2/tests/checkasm: .gitignore
> > > > +Only in gitdir2/tests: .gitignore
> > > > +Only in gitdir2/tools: .gitignore
> > > > +Only in ffmpeg-5.1.4: VERSION
> > > > + </pre>
> > > > + </li>
> > > > + <li>
> > > > + Verify that the tag in git is signed
> > >
> > > The tags are signed with your key made for this purpose,
> > > DD1EC9E8DE085C629B3E1846B18E8928B3948D64, and not with the tarball one
> > > listed above. You should include it here the same way, unless the signature
> >
> > yes but before doing that, do you think this is the best place to put all this?
>
> Sure, why would it not? It's the section where we explain how to verify
> releases.
The verification ends with the tarball signature being verified.
Checking the difference between 2 mirrors, or git vs. tarball is not
verifying if the user obtained a unmodified copy of a release.
It would check for a subset of variants of compromises on the FFmpeg side.
I think we should publish somewhere how the difference between git and
tarball should look. But iam not sure anything is achieved by asking
everyone to download things twice and compare them.
Maybe the security page is a better place ?
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Some people wanted to paint the bikeshed green, some blue and some pink.
People argued and fought, when they finally agreed, only rust was left.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240330/ab4dc8e1/attachment.sig>
More information about the ffmpeg-devel
mailing list