Marcin Szewczyk
2016-Mar-04 14:16 UTC
[fdo] Authenticating/verifying freedesktop projects source
Hi,
I would like to recompile a version of ModemManager supporting the Voice
interface. That is why I have to use the source code from the master
branch and not the 1.4 version. This also requires me to download libqmi
from a repository, because 1.12 is too old for this. How do I verify the
source?
Unfortunately:
- nor git commits, nor tags seem to be signed,
- HTTPS-accessible source archives include only those that are
stable (e.g. https://www.freedesktop.org/software/ModemManager/)
and there are no SUMS files signed by anybody.
Is it the safest method to git clone from URLs like the following ones?
- https://anongit.freedesktop.org/git/ModemManager/ModemManager.git
- https://anongit.freedesktop.org/git/libqmi
Some of freedesktop's cgit pages suggest to use http:// links. Luckily,
same links work with https://. But contrary to the ModemManager's cgit
page, the libqmi cgit page doesn't contain the http:// link, only git://
and ssh:// links. Nevertheless, the https:// link to the libqmi
repository works.
Should I request an SSH account[1] with read-only access to projects I
want to clone? How do I obtain the host's fingerprint?
[1] https://www.freedesktop.org/wiki/AccountRequests/
Regards,
--
Marcin Szewczyk
http://wodny.org
Tollef Fog Heen
2016-Mar-05 12:33 UTC
[fdo] Authenticating/verifying freedesktop projects source
]] Marcin Szewczyk> Unfortunately: > - nor git commits, nor tags seem to be signed,This sounds like something that should be fixed, folks should use signed tags whenever possible.> - HTTPS-accessible source archives include only those that are > stable (e.g. https://www.freedesktop.org/software/ModemManager/) > and there are no SUMS files signed by anybody. > > Is it the safest method to git clone from URLs like the following ones? > - https://anongit.freedesktop.org/git/ModemManager/ModemManager.git > - https://anongit.freedesktop.org/git/libqmiYes, absent signed tags or files.> Some of freedesktop's cgit pages suggest to use http:// links. Luckily, > same links work with https://. But contrary to the ModemManager's cgit > page, the libqmi cgit page doesn't contain the http:// link, only git:// > and ssh:// links. Nevertheless, the https:// link to the libqmi > repository works.We should probably make a sweep to get all those cleaned up so they're on the same level.> Should I request an SSH account[1] with read-only access to projects I > want to clone? How do I obtain the host's fingerprint?No. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Marcin Szewczyk
2016-Mar-05 16:49 UTC
[fdo] Authenticating/verifying freedesktop projects source
On Sat, Mar 05, 2016 at 01:33:44PM +0100, Tollef Fog Heen wrote:> ]] Marcin Szewczyk > > Is it the safest method to git clone from URLs like the following ones? > > - https://anongit.freedesktop.org/git/ModemManager/ModemManager.git > > - https://anongit.freedesktop.org/git/libqmi > > Yes, absent signed tags or files.Roger. Thanks. -- Marcin Szewczyk http://wodny.org