GNU bug report logs -
#29540
[PATCH] gnu: spice: Update to 0.14.0.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29540 in the body.
You can then email your comments to 29540 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#29540
; Package
guix-patches
.
(Sat, 02 Dec 2017 23:13:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Andy Patterson <ajpatter <at> uwaterloo.ca>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Sat, 02 Dec 2017 23:13:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi all,
This patch allows qemu to use OpenGL acceleration in the guest when
certain parameters are configured. I tested it out by running supertux
and supertuxkart in a guest.
I downloaded the sources over https, but I didn't verify them against
the signature provided, since I couldn't figure out where to download
the keys from. Tips on how to find keys in general would be appreciated.
Also - the source needs to use https because connection over http
fails.
Thanks,
--
Andy
From 8d1c8528e46ff7eb24def9181017317b8a7d54ea Mon Sep 17 00:00:00 2001
From: Andy Patterson <ajpatter <at> uwaterloo.ca>
Date: Sat, 2 Dec 2017 16:22:11 -0500
Subject: [PATCH] gnu: spice: Update to 0.14.0.
This is a follow-up to commit 9a187b39b7991463aa6985f5b746fccf69789525.
* gnu/packages/spice.scm (spice): Update to 0.14.0.
[origin]<patches>: Remove them.
<uri>: Use https.
[inputs]: Add orc.
[home-page]: Update to use https.
---
gnu/packages/spice.scm | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 7d49f90be..10f7c6bc5 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -203,20 +203,15 @@ which allows users to view a desktop computing environment.")
(define-public spice
(package
(name "spice")
- (version "0.12.8")
+ (version "0.14.0")
(source (origin
(method url-fetch)
(uri (string-append
- "http://www.spice-space.org/download/releases/"
+ "https://www.spice-space.org/download/releases/"
"spice-" version ".tar.bz2"))
(sha256
(base32
- "0za03i77j8i3g5l2np2j7vy8cqsdbkm9wbv4hjnaqq9xhz2sa0gr"))
- (patches
- (search-patches "spice-CVE-2017-7506.patch"
- "spice-CVE-2016-9577.patch"
- "spice-CVE-2016-9578-1.patch"
- "spice-CVE-2016-9578-2.patch"))))
+ "0j5q7cp5p95jk8fp48gz76rz96lifimdsx1wnpmfal0nnnar9nrs"))))
(build-system gnu-build-system)
(propagated-inputs
`(("openssl" ,openssl)
@@ -228,6 +223,7 @@ which allows users to view a desktop computing environment.")
("libjpeg-turbo" ,libjpeg-turbo)
("lz4" ,lz4)
("opus" ,opus)
+ ("orc" ,orc)
("zlib" ,zlib)))
(native-inputs
`(("pkg-config" ,pkg-config)
--
2.15.0
Information forwarded
to
guix-patches <at> gnu.org
:
bug#29540
; Package
guix-patches
.
(Sun, 03 Dec 2017 00:42:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 29540 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> I downloaded the sources over https, but I didn't verify them against
> the signature provided, since I couldn't figure out where to download
> the keys from. Tips on how to find keys in general would be appreciated.
"How to use GnuPG" is probably best left to the experts:
https://gnupg.org/documentation/guides.html
But here's how I would acquire this key and verify the signature. Note
that the crucial identifier, the key fingerprint, is provided in the
error message of the first command.
------
$ gpg --verify spice-0.14.0.tar.bz2.sign
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg: using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Can't check signature: No public key
$ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 94A9F75661F77A6168649B23A9D8C21429AC6C82
$ gpg --verify spice-0.14.0.tar.bz2.sign
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg: using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <christophe <at> fergeau.eu>" [unknown]
gpg: aka "Christophe Fergeau <teuf <at> gnome.org>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau <at> gmail.com>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau <at> redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214 29AC 6C82
------
We can be reasonably sure that someone with that private key signed the
tarball. Now, is it the right key? Hopefully the upstream documentation
says which keys are considered "authorized" to sign Spice releases.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#29540
; Package
guix-patches
.
(Sun, 03 Dec 2017 05:42:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 29540 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
On Sat, 2 Dec 2017 19:41:23 -0500
Leo Famulari <leo <at> famulari.name> wrote:
> On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> > I downloaded the sources over https, but I didn't verify them
> > against the signature provided, since I couldn't figure out where
> > to download the keys from. Tips on how to find keys in general
> > would be appreciated.
>
> "How to use GnuPG" is probably best left to the experts:
>
> https://gnupg.org/documentation/guides.html
>
> But here's how I would acquire this key and verify the signature. Note
> that the crucial identifier, the key fingerprint, is provided in the
> error message of the first command.
>
> ------
> $ gpg --verify spice-0.14.0.tar.bz2.sign
> gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
> gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
> gpg: using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Can't check signature:
> No public key
>
> $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys
> 94A9F75661F77A6168649B23A9D8C21429AC6C82
>
> $ gpg --verify
> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
> AM EDT gpg: using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
> "Christophe Fergeau (teuf) <christophe <at> fergeau.eu>" [unknown]
> gpg: aka "Christophe Fergeau
> <teuf <at> gnome.org>" [unknown] gpg: aka "Christophe
> Fergeau <cfergeau <at> gmail.com>" [unknown] gpg: aka
> "Christophe Fergeau <cfergeau <at> redhat.com>" [unknown] gpg: WARNING:
> This key is not certified with a trusted signature! gpg:
> There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214
> 29AC 6C82 ------
>
Ooh, thanks.
> We can be reasonably sure that someone with that private key signed
> the tarball. Now, is it the right key? Hopefully the upstream
> documentation says which keys are considered "authorized" to sign
> Spice releases.
I didn't find anything. *shrugs*
--
Andy
Information forwarded
to
guix-patches <at> gnu.org
:
bug#29540
; Package
guix-patches
.
(Sun, 03 Dec 2017 22:47:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 29540 <at> debbugs.gnu.org (full text, mbox):
Andy Patterson <ajpatter <at> uwaterloo.ca> writes:
>> $ gpg --verify
>> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
>> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
>> AM EDT gpg: using RSA key
>> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
>> "Christophe Fergeau (teuf) <christophe <at> fergeau.eu>" [unknown]
>> gpg: aka "Christophe Fergeau
>> <teuf <at> gnome.org>" [unknown] gpg: aka "Christophe
>> Fergeau <cfergeau <at> gmail.com>" [unknown] gpg: aka
>> "Christophe Fergeau <cfergeau <at> redhat.com>" [unknown] gpg: WARNING:
>> This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214
>> 29AC 6C82 ------
>>
>
> Ooh, thanks.
>
>> We can be reasonably sure that someone with that private key signed
>> the tarball. Now, is it the right key? Hopefully the upstream
>> documentation says which keys are considered "authorized" to sign
>> Spice releases.
>
> I didn't find anything. *shrugs*
Here’s the release announcement:
https://lists.freedesktop.org/archives/spice-announce/2017-October/000061.html
It is a signed message by Christophe Fergeau, but I haven’t been able to
verify the signature. The message could have been mangled by the
mailing list.
According to https://cgit.freedesktop.org/spice/spice/log/NEWS
Christophe Fergeau has handled the previous release as well, and the
same person is listed as the current maintainer. The “v0.14.0” tag is
signed with the same key:
--8<---------------cut here---------------start------------->8---
git verify-tag v0.14.0
gpg: Signature made Wed 11 Oct 2017 10:36:45 AM CEST
gpg: using RSA key A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <christophe <at> fergeau.eu>" [unknown]
gpg: aka "Christophe Fergeau <teuf <at> gnome.org>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau <at> gmail.com>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau <at> redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214 29AC 6C82
--8<---------------cut here---------------end--------------->8---
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded
to
guix-patches <at> gnu.org
:
bug#29540
; Package
guix-patches
.
(Mon, 04 Dec 2017 18:12:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 29540 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Dec 03, 2017 at 11:45:51PM +0100, Ricardo Wurmus wrote:
> Andy Patterson <ajpatter <at> uwaterloo.ca> writes:
> >> We can be reasonably sure that someone with that private key signed
> >> the tarball. Now, is it the right key? Hopefully the upstream
> >> documentation says which keys are considered "authorized" to sign
> >> Spice releases.
> >
> > I didn't find anything. *shrugs*
>
> Here’s the release announcement:
[...]
Again we see that the "trust" part of the web of trust is a complicated
and difficult topic.
I'm doing a final test of this new QEMU [0] and I'll push if all goes
well.
[0] I make sure it can create and run a GuixSD VM. This exercises both
the qemu and qemu-minimal packages.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Mon, 04 Dec 2017 19:07:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Andy Patterson <ajpatter <at> uwaterloo.ca>
:
bug acknowledged by developer.
(Mon, 04 Dec 2017 19:07:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 29540-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> Subject: [PATCH] gnu: spice: Update to 0.14.0.
>
> This is a follow-up to commit 9a187b39b7991463aa6985f5b746fccf69789525.
>
> * gnu/packages/spice.scm (spice): Update to 0.14.0.
> [origin]<patches>: Remove them.
> <uri>: Use https.
> [inputs]: Add orc.
> [home-page]: Update to use https.
Pushed as b142756d9c6a2dd6936b7175f120846190f52aaa, also removing the
leftover patch files and references to them from 'gnu/local.mk'.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 02 Jan 2018 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 229 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.