Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 4, 2018, at 12:08 PM, Paolo Bonzini <address@hidden> wrote:
> 
> On 04/04/2018 18:05, Programmingkid wrote:
>> 
>>> On Apr 4, 2018, at 11:55 AM, Stefan Weil <address@hidden> wrote:
>>> 
>>> Am 04.04.2018 um 16:58 schrieb Daniel P. Berrangé:
>>>> On Wed, Apr 04, 2018 at 04:45:48PM +0200, Paolo Bonzini wrote:
>>>>> On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>>>>> The source/quality of those binaries is completely opaque. We've no idea 
>>>>>> who
>>>>>> built them, nor what build options were used, nor what/where the 
>>>>>> corresponding
>>>>>> source is (required for GPL compliance), nor any checksum / signature to
>>>>>> validate the binary isn't compromised since build, etc, etc.
>>>>>> 
>>>>>> Pointing users to those binaries makes it appear QEMU project is blessing
>>>>>> them, and so any issues with them directly reflect on QEMU's reputation.
>>>>>> 
>>>>>> If we're going to link to binaries telling users to download them, we 
>>>>>> need
>>>>>> to be hosting them on qemu.org and have a clearly documented formal 
>>>>>> process
>>>>>> around building & distributing them.
>>>>>> 
>>>>>> Since both Homebrew & Macports are providing formal bulds though, it 
>>>>>> looks
>>>>>> simpler to just entirely delegate the problem to them, as we do for Linux
>>>>>> where we delegate to distro vendors to build & distribute binaries.
>>>>> 
>>>>> Note that, to some extent, the same issues do apply to Win32 binaries
>>>>> (in particular, they are distributed under http and there are no
>>>>> signatures).  However, the situation is better in that they are hosted
>>>>> on an identifiable person's website, and of course Windows doesn't have
>>>>> something akin to Homebrew and Macports so there is no alternative to
>>>>> volunteers building and hosting the binaries.
>>>> 
>>>> It would be desirable & practical to address that for Win32, by building
>>>> the Win32 binaries at time of cutting the release, using the Mingw 
>>>> toolchain
>>>> via one of our formal Docker environments. Would need buy-in of our release
>>>> manager to accept the extra work for making releases though...
>>>> 
>>>> Regards,
>>>> Daniel
>>> 
>>> That would be one possible way. A more automated way could use CI builds
>>> (for example on GitHub) to generate executables for Windows.
>>> 
>>> By the way: https://qemu.weilnetz.de provides https (maybe I should
>>> enforce it), it includes sha512, and I also sign the binaries with my
>>> key. You still have to trust me, Debian and Cygwin (which provides lots
>>> of libraries used for the build).
>>> 
>>> Regards,
>>> Stefan
>> 
>> I guess there is just too much distrust to provide a QEMU binary for 
>> download.
> 
> It's not distrust, it's responsibility.
> 
> Paolo

So from what I learned, in order to provide a binary of QEMU, these things must 
be done:
- Some kind of checksum be provided for the binary (md5, SHA512, ...)
- A zip file that has the exact code used to build the binary be provided
- The complete environment use to build the binary be documented
-- Operating system name and version
-- name and version of various tools used to build the binary (GCC, make, ...)
-- name and version of libraries that are linked to QEMU (libc, pixman, ...)
- The exact command-line options used to build the binary be provided
- The email address and identity of the person who made the binary be provided

If anything is missing please feel free to share.