[PATCH] gnu: spice: Update to 0.14.0.

Done

Details

3 participants

Andy Patterson
Leo Famulari
Ricardo Wurmus

Owner: unassigned

Submitted by: Andy Patterson

Severity: normal

Debbugs page

Andy Patterson wrote 7 years ago

Recipients:(address . guix-patches@gnu.org)

Message-ID:20171202172327.0db2d98b@uwaterloo.ca

Hi all,

This patch allows qemu to use OpenGL acceleration in the guest when

certain parameters are configured. I tested it out by running supertux

and supertuxkart in a guest.

I downloaded the sources over https, but I didn't verify them against

the signature provided, since I couldn't figure out where to download

the keys from. Tips on how to find keys in general would be appreciated.

Also - the source needs to use https because connection over http

fails.

Thanks,

Andy

From 8d1c8528e46ff7eb24def9181017317b8a7d54ea Mon Sep 17 00:00:00 2001

This is a follow-up to commit 9a187b39b7991463aa6985f5b746fccf69789525.

* gnu/packages/spice.scm (spice): Update to 0.14.0.

[origin]<patches>: Remove them.

<uri>: Use https.

[inputs]: Add orc.

[home-page]: Update to use https.

---

gnu/packages/spice.scm | 12 ++++--------

1 file changed, 4 insertions(+), 8 deletions(-)

Toggle diff (38 lines)diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 7d49f90be..10f7c6bc5 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -203,20 +203,15 @@ which allows users to view a desktop computing environment.")
 (define-public spice
   (package
     (name "spice")
-    (version "0.12.8")
+    (version "0.14.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
-                "http://www.spice-space.org/download/releases/"
+                "https://www.spice-space.org/download/releases/"
                 "spice-" version ".tar.bz2"))
               (sha256
                (base32
-                "0za03i77j8i3g5l2np2j7vy8cqsdbkm9wbv4hjnaqq9xhz2sa0gr"))
-              (patches
-               (search-patches "spice-CVE-2017-7506.patch"
-                               "spice-CVE-2016-9577.patch"
-                               "spice-CVE-2016-9578-1.patch"
-                               "spice-CVE-2016-9578-2.patch"))))
+                "0j5q7cp5p95jk8fp48gz76rz96lifimdsx1wnpmfal0nnnar9nrs"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("openssl" ,openssl)
@@ -228,6 +223,7 @@ which allows users to view a desktop computing environment.")
         ("libjpeg-turbo" ,libjpeg-turbo)
         ("lz4" ,lz4)
         ("opus" ,opus)
+        ("orc" ,orc)
         ("zlib" ,zlib)))
     (native-inputs
       `(("pkg-config" ,pkg-config)
-- 
2.15.0

Leo Famulari wrote 7 years ago

Recipients:(name . Andy Patterson)(address . ajpatter@uwaterloo.ca)(address . 29540@debbugs.gnu.org)

Message-ID:20171203004123.GB353@jasmine.lan

On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:

Toggle quote (4 lines)

> I downloaded the sources over https, but I didn't verify them against

> the signature provided, since I couldn't figure out where to download

> the keys from. Tips on how to find keys in general would be appreciated.

"How to use GnuPG" is probably best left to the experts:

https://gnupg.org/documentation/guides.html

But here's how I would acquire this key and verify the signature. Note
that the crucial identifier, the key fingerprint, is provided in the
error message of the first command.

------
$ gpg --verify spice-0.14.0.tar.bz2.sign                   
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg:                using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Can't check signature: No public key

$ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 94A9F75661F77A6168649B23A9D8C21429AC6C82

$ gpg --verify spice-0.14.0.tar.bz2.sign                                                             
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg:                using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <christophe@fergeau.eu>" [unknown]
gpg:                 aka "Christophe Fergeau <teuf@gnome.org>" [unknown]
gpg:                 aka "Christophe Fergeau <cfergeau@gmail.com>" [unknown]
gpg:                 aka "Christophe Fergeau <cfergeau@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214 29AC 6C82
------

We can be reasonably sure that someone with that private key signed the
tarball. Now, is it the right key? Hopefully the upstream documentation
says which keys are considered "authorized" to sign Spice releases.

Andy Patterson wrote 7 years ago

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 29540@debbugs.gnu.org)

Message-ID:20171203004102.62febb6d@uwaterloo.ca

Hi Leo,

On Sat, 2 Dec 2017 19:41:23 -0500

Leo Famulari <leo@famulari.name> wrote:

Toggle quote (41 lines)> On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> > I downloaded the sources over https, but I didn't verify them
> > against the signature provided, since I couldn't figure out where
> > to download the keys from. Tips on how to find keys in general
> > would be appreciated.  
> 
> "How to use GnuPG" is probably best left to the experts:
> 
> https://gnupg.org/documentation/guides.html
> 
> But here's how I would acquire this key and verify the signature. Note
> that the crucial identifier, the key fingerprint, is provided in the
> error message of the first command.
> 
> ------
> $ gpg --verify spice-0.14.0.tar.bz2.sign                   
> gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
> gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
> gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Can't check signature:
> No public key
> 
> $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys
> 94A9F75661F77A6168649B23A9D8C21429AC6C82
> 
> $ gpg --verify
> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
> AM EDT gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
> "Christophe Fergeau (teuf) <christophe@fergeau.eu>" [unknown]
> gpg:                 aka "Christophe Fergeau
> <teuf@gnome.org>" [unknown] gpg:                 aka "Christophe
> Fergeau <cfergeau@gmail.com>" [unknown] gpg:                 aka
> "Christophe Fergeau <cfergeau@redhat.com>" [unknown] gpg: WARNING:
> This key is not certified with a trusted signature! gpg:
> There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214
> 29AC 6C82 ------
> 

Ooh, thanks.

Toggle quote (5 lines)

> We can be reasonably sure that someone with that private key signed

> the tarball. Now, is it the right key? Hopefully the upstream

> documentation says which keys are considered "authorized" to sign

> Spice releases.

I didn't find anything. *shrugs*

Andy

Ricardo Wurmus wrote 7 years ago

Recipients:(name . Andy Patterson)(address . ajpatter@uwaterloo.ca)(address . 29540@debbugs.gnu.org)(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:877eu34ehs.fsf@elephly.net

Andy Patterson <ajpatter@uwaterloo.ca> writes:

Toggle quote (25 lines)>> $ gpg --verify
>> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
>> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
>> AM EDT gpg:                using RSA key
>> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
>> "Christophe Fergeau (teuf) <christophe@fergeau.eu>" [unknown]
>> gpg:                 aka "Christophe Fergeau
>> <teuf@gnome.org>" [unknown] gpg:                 aka "Christophe
>> Fergeau <cfergeau@gmail.com>" [unknown] gpg:                 aka
>> "Christophe Fergeau <cfergeau@redhat.com>" [unknown] gpg: WARNING:
>> This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214
>> 29AC 6C82 ------
>>
>
> Ooh, thanks.
>
>> We can be reasonably sure that someone with that private key signed
>> the tarball. Now, is it the right key? Hopefully the upstream
>> documentation says which keys are considered "authorized" to sign
>> Spice releases.
>
> I didn't find anything. *shrugs*

Here’s the release announcement:

https://lists.freedesktop.org/archives/spice-announce/2017-October/000061.html

It is a signed message by Christophe Fergeau, but I haven’t been able to

verify the signature. The message could have been mangled by the

mailing list.

According to https://cgit.freedesktop.org/spice/spice/log/NEWS

Christophe Fergeau has handled the previous release as well, and the

same person is listed as the current maintainer. The “v0.14.0” tag is

signed with the same key:

Toggle snippet (13 lines)

git verify-tag v0.14.0

gpg: Signature made Wed 11 Oct 2017 10:36:45 AM CEST

gpg: using RSA key A9D8C21429AC6C82

gpg: Good signature from "Christophe Fergeau (teuf) <christophe@fergeau.eu>" [unknown]

gpg: aka "Christophe Fergeau <teuf@gnome.org>" [unknown]

gpg: aka "Christophe Fergeau <cfergeau@gmail.com>" [unknown]

gpg: aka "Christophe Fergeau <cfergeau@redhat.com>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214 29AC 6C82

Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC

https://elephly.net

Leo Famulari wrote 7 years ago

Recipients:(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 29540@debbugs.gnu.org)(name . Andy Patterson)(address . ajpatter@uwaterloo.ca)

Message-ID:20171204181053.GA30970@jasmine.lan

On Sun, Dec 03, 2017 at 11:45:51PM +0100, Ricardo Wurmus wrote:

Toggle quote (10 lines)> Andy Patterson <ajpatter@uwaterloo.ca> writes:
> >> We can be reasonably sure that someone with that private key signed
> >> the tarball. Now, is it the right key? Hopefully the upstream
> >> documentation says which keys are considered "authorized" to sign
> >> Spice releases.
> >
> > I didn't find anything. *shrugs*
> 
> Here’s the release announcement:

[...]

Again we see that the "trust" part of the web of trust is a complicated

and difficult topic.

I'm doing a final test of this new QEMU [0] and I'll push if all goes

well.

[0] I make sure it can create and run a GuixSD VM. This exercises both

the qemu and qemu-minimal packages.

Leo Famulari wrote 7 years ago

Recipients:(name . Andy Patterson)(address . ajpatter@uwaterloo.ca)(address . 29540-done@debbugs.gnu.org)

Message-ID:20171204190645.GA28066@jasmine.lan

On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:

Toggle quote (10 lines)> Subject: [PATCH] gnu: spice: Update to 0.14.0.
> 
> This is a follow-up to commit 9a187b39b7991463aa6985f5b746fccf69789525.
> 
> * gnu/packages/spice.scm (spice): Update to 0.14.0.
> [origin]<patches>: Remove them.
> <uri>: Use https.
> [inputs]: Add orc.
> [home-page]: Update to use https.

Pushed as b142756d9c6a2dd6936b7175f120846190f52aaa, also removing the

leftover patch files and references to them from 'gnu/local.mk'.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 29540@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 29540

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date