Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Paolo Bonzini]

On 04/04/2018 18:05, Programmingkid wrote:
> 
>> On Apr 4, 2018, at 11:55 AM, Stefan Weil <address@hidden> wrote:
>>
>> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>>> The source/quality of those binaries is completely opaque. We've no idea 
>>>>> who
>>>>> built them, nor what build options were used, nor what/where the 
>>>>> corresponding
>>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>>> validate the binary isn't compromised since build, etc, etc.
>>>>>
>>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>>
>>>>> If we're going to link to binaries telling users to download them, we need
>>>>> to be hosting them on qemu.org and have a clearly documented formal 
>>>>> process
>>>>> around building & distributing them.
>>>>>
>>>>> Since both Homebrew & Macports are providing formal bulds though, it looks
>>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>>> where we delegate to distro vendors to build & distribute binaries.
>>>>
>>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>>> (in particular, they are distributed under http and there are no
>>>> signatures).  However, the situation is better in that they are hosted
>>>> on an identifiable person's website, and of course Windows doesn't have
>>>> something akin to Homebrew and Macports so there is no alternative to
>>>> volunteers building and hosting the binaries.
>>>
>>> It would be desirable & practical to address that for Win32, by building
>>> the Win32 binaries at time of cutting the release, using the Mingw toolchain
>>> via one of our formal Docker environments. Would need buy-in of our release
>>> manager to accept the extra work for making releases though...
>>>
>>> Regards,
>>> Daniel
>>
>> That would be one possible way. A more automated way could use CI builds
>> (for example on GitHub) to generate executables for Windows.
>>
>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>> enforce it), it includes sha512, and I also sign the binaries with my
>> key. You still have to trust me, Debian and Cygwin (which provides lots
>> of libraries used for the build).
>>
>> Regards,
>> Stefan
> 
> I guess there is just too much distrust to provide a QEMU binary for download.

It's not distrust, it's responsibility.

Paolo