Thread: New ftp layout

Hi all,

I've created a new ftp layout as discussed earlier. It can be reviewed
at http://developer.pgadmin.org/ftp2/

Thoughts/comments are welcome before I make it live.

I haven't yet included the debian directories - Raph, can you help out
with how they should be handled?

Cheers, Dave.

>Hi all,
>
>I've created a new ftp layout as discussed earlier. It can be reviewed
>at http://developer.pgadmin.org/ftp2/
>
>Thoughts/comments are welcome before I make it live.
>
>I haven't yet included the debian directories - Raph, can you help out
>with how they should be handled?

ARGH! :)

Debian repositories include each version and you can select a specific version to install if you don't want the latest
one.


The way the new dirs are organised will generate problems...
People will need to change a line in their sources.list (the text file which tell where to find packages) each time a
newversion is released... 
I must think about it...
Would it be possible to exclude debian dir from X.Y.Z dirs and symlink to ../debian ?

Somehing like
release/debian <----> directory with packages
release/1.0.x/debian -> ../debian
release/1.2.0/debian -> ../debian

And so on.

don't know... let me think about it.

Regards,
Raphaël

----Message d'origine----
>Sujet: [pgadmin-hackers] New ftp layout
>Date: Fri, 3 Dec 2004 13:04:30 -0000
>De: "Dave Page" <dpage@vale-housing.co.uk>
>A: "pgadmin-hackers" <pgadmin-hackers@postgresql.org>
>Copie à: <blacknoz@club-internet.fr>
>
>Hi all,
>
>I've created a new ftp layout as discussed earlier. It can be reviewed
>at http://developer.pgadmin.org/ftp2/
>
>Thoughts/comments are welcome before I make it live.

less debian specific :
why not adding a symlink like "current" or "latest" pointing to the latest release.
release/current -> v1.2.0

Regards,
Raphaël

Dave Page wrote:
> Hi all,
>
> I've created a new ftp layout as discussed earlier. It can be reviewed
> at http://developer.pgadmin.org/ftp2/
>
> Thoughts/comments are welcome before I make it live.

Looks good to me.

Regards,
Andreas

> -----Original Message-----
> From: blacknoz@club-internet.fr [mailto:blacknoz@club-internet.fr]
> Sent: 03 December 2004 14:17
> To: Dave Page; pgadmin-hackers@postgresql.org
> Subject: Re: New ftp layout
>
> >Hi all,
> >
> >I've created a new ftp layout as discussed earlier. It can
> be reviewed
> >at http://developer.pgadmin.org/ftp2/
> >
> >Thoughts/comments are welcome before I make it live.
> >
> >I haven't yet included the debian directories - Raph, can
> you help out
> >with how they should be handled?
>
> ARGH! :)

Yup, that's about what I figured you would say!!

> Debian repositories include each version and you can select a
> specific version to install if you don't want the latest one.
>
>
> The way the new dirs are organised will generate problems...
> People will need to change a line in their sources.list (the
> text file which tell where to find packages) each time a new
> version is released...
> I must think about it...
> Would it be possible to exclude debian dir from X.Y.Z dirs
> and symlink to ../debian ?
>
> Somehing like
> release/debian <----> directory with packages
> release/1.0.x/debian -> ../debian release/1.2.0/debian -> ../debian
>
> And so on.

Yeah, I can probably do that :-)

Give me a few minutes and take a look...

Regards, Dave.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

On Fri, 3 Dec 2004, Dave Page wrote:

> I've created a new ftp layout as discussed earlier. It can be reviewed
> at http://developer.pgadmin.org/ftp2/
>
> Thoughts/comments are welcome before I make it live.

What about something like this:

* release
    - Linux
       - Distro 1
         - Distro Version 1
         - Distro Version 2
       - RPMS
           - SRPMS
       - Distro 2
    - Windows
    - ... Os Os OS

  Same applies for beta, too.

Any comments?

- --
Devrim GUNDUZ
devrim~gunduz.org                devrim.gunduz~linux.org.tr
             http://www.tdmsoft.com
             http://www.gunduz.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBsGlgtl86P3SPfQ4RArXuAJ9FWH4fHBsFjrBV10mZdZlaxSC5ZgCdFm3N
/oh26HEha3Lg3xB5DDk9PVU=
=/B8h
-----END PGP SIGNATURE-----

> -----Original Message-----
> From: Devrim GUNDUZ [mailto:devrim@gunduz.org]
> Sent: 03 December 2004 13:26
> To: Dave Page
> Cc: pgadmin-hackers; blacknoz@club-internet.fr
> Subject: Re: [pgadmin-hackers] New ftp layout
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
>
> On Fri, 3 Dec 2004, Dave Page wrote:
>
> > I've created a new ftp layout as discussed earlier. It can
> be reviewed
> > at http://developer.pgadmin.org/ftp2/
> >
> > Thoughts/comments are welcome before I make it live.
>
> What about something like this:
>
> * release
>     - Linux
>        - Distro 1
>          - Distro Version 1
>          - Distro Version 2
>        - RPMS
>            - SRPMS
>        - Distro 2
>     - Windows
>     - ... Os Os OS
>
>   Same applies for beta, too.

I'm not sure there are enough different Oss are there? The longest
directory at the moment only has 12 entries in it, and even if that
doubles I don't think it will be hard to find what you need.

Regards, Dave.

Hi,

On Fri, 3 Dec 2004, Dave Page wrote:

> I'm not sure there are enough different Oss are there? The longest
> directory at the moment only has 12 entries in it, and even if that
> doubles I don't think it will be hard to find what you need.

Mine is nearly the same layout as PostgreSQL.org. Look:

http://developer.pgadmin.org/ftp2/release/v1.2.0/

This seems so untidy to me...

--
Devrim GUNDUZ
devrim~gunduz.org                devrim.gunduz~linux.org.tr
             http://www.tdmsoft.com
             http://www.gunduz.org

> -----Original Message-----
> From: Devrim GUNDUZ [mailto:devrim@gunduz.org]
> Sent: 03 December 2004 13:38
> To: Dave Page
> Cc: pgadmin-hackers; blacknoz@club-internet.fr
> Subject: RE: [pgadmin-hackers] New ftp layout
>
>
> Hi,
>
> On Fri, 3 Dec 2004, Dave Page wrote:
>
> > I'm not sure there are enough different Oss are there? The longest
> > directory at the moment only has 12 entries in it, and even if that
> > doubles I don't think it will be hard to find what you need.
>
> Mine is nearly the same layout as PostgreSQL.org. Look:

Didn't we just have a discussion about how virtually every release of pg
is structured differently under the binaries directory?

:-)

> http://developer.pgadmin.org/ftp2/release/v1.2.0/
>
> This seems so untidy to me...

Seems OK to me. I think having an OS/Version structure could prove less
friendly - for example, for the last release, I used slackware 9, for
this one, slackware 9.1 and probably for the next slackware 10, or even
higher. This would have left a structure like:

v1.0.0
  slackware
    9.0
v1.0.1
  slackware
    9.0
v1.0.2
  slackware
    9.0
v1.2.0
  slackware
    9.1
v1.X.0
  slackware
    10.0

Similar situations exist for other OS's. That just seems over the top to
me.

Does anyone else share Devrim's concern?

Regards, Dave

On Fri, 03 Dec 2004 13:04:30 +0000, Dave Page wrote:

> I've created a new ftp layout as discussed earlier. It can be reviewed
> at http://developer.pgadmin.org/ftp2/

Nice.

About the FC1-RPM:

1. I suggest that you duplicate it in a directory
   called fc2, since it runs on fc2, as well. That
   way, all existing Fedora Core releases should be
   covered.
2. I suggest that CURRENT_MAINTAINER files be added
   in the RPM-directories. The files should -
   apart from our names, etc. - contain a link to
   the relevant public key of the packager, i.e.
   http://troels.arvin.dk/pgp/
   or
   http://www.gunduz.org/devrimgunduz.pgp.pub

What about when we release updated binary packages which are not due to
updated pgadmin3 releases? I suggest that the RPM directories only contain
one RPM file each, i.e. the latest one, and that older RPM releases be
moved somewhere, like in release/v1.2.0/fc1/old.

Another thought should probably go to how to become yum/apt-friendly with
regard to the RPMs. I don't currently have a suggestion, but may return
with a suggestion later.

--
Greetings from Troels Arvin, Copenhagen, Denmark

> -----Original Message-----
> From: pgadmin-hackers-owner@postgresql.org
> [mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of
> Troels Arvin
> Sent: 03 December 2004 14:10
> To: pgadmin-hackers@postgresql.org
> Subject: Re: [pgadmin-hackers] New ftp layout
>
> On Fri, 03 Dec 2004 13:04:30 +0000, Dave Page wrote:
>
> > I've created a new ftp layout as discussed earlier. It can
> be reviewed
> > at http://developer.pgadmin.org/ftp2/
>
> Nice.
>
> About the FC1-RPM:
>
> 1. I suggest that you duplicate it in a directory
>    called fc2, since it runs on fc2, as well. That
>    way, all existing Fedora Core releases should be
>    covered.

I'd rather not do that, as following that logic we may end up with
umpteen copies of the same file. There's also the disk/bandwidth
overhead of around 80 mirror sites to consider, and the fact that it
implies there is a difference between the packages.

> 2. I suggest that CURRENT_MAINTAINER files be added
>    in the RPM-directories. The files should -
>    apart from our names, etc. - contain a link to
>    the relevant public key of the packager, i.e.
>    http://troels.arvin.dk/pgp/
>    or
>    http://www.gunduz.org/devrimgunduz.pgp.pub

Yup, I just haven't got around to that yet (I only added them to the
existing layout a couple of days ago).

> What about when we release updated binary packages which are
> not due to updated pgadmin3 releases? I suggest that the RPM
> directories only contain one RPM file each, i.e. the latest
> one, and that older RPM releases be moved somewhere, like in
> release/v1.2.0/fc1/old.

No, because that can cause significant rsync traffic as the mirrors
delete the moved files, and then download them again. Moving files
shouldn't be taken lightly on large mirror networks :-). I dread to
think what effect this change is going to have on svr4.postgresql.org as
it is!!

> Another thought should probably go to how to become
> yum/apt-friendly with regard to the RPMs. I don't currently
> have a suggestion, but may return with a suggestion later.

OK, look forward to it. The closest we have so far is the debian stuff
of course - Raphael might be able to provide some pointers on that.

Regards, Dave.

>> -----Original Message-----
>> From: pgadmin-hackers-owner@postgresql.org
>> [mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of
>> Troels Arvin
>> Sent: 03 December 2004 14:10
>> To: pgadmin-hackers@postgresql.org
>> Subject: Re: [pgadmin-hackers] New ftp layout
>>
>> 2. I suggest that CURRENT_MAINTAINER files be added
>>    in the RPM-directories. The files should -
>>    apart from our names, etc. - contain a link to
>>    the relevant public key of the packager, i.e.
>>    http://troels.arvin.dk/pgp/
>>    or
>>    http://www.gunduz.org/devrimgunduz.pgp.pub
>
>Yup, I just haven't got around to that yet (I only added them to the
>existing layout a couple of days ago).


Can you explain something to me? Why don't you /simply/ upload your key to a keyserver?
To me, gpg signing is efficient if (at least):
- your key is available from a third party
- your key is signed by someone you trust
- you have all the required files to inform people the key has been compromised. IMHO, uploading your key to a public
keyservermakes it mandatory for you to generate revocation certificates... Something you may not do if your key is not
muchdistributed. 
- your private key is protected (I mean not on a host on the net)

I bet we won't be able to sign each other but why not (Hey Dave, still ok for next summer holidays ? ;p)

The only pub key I distribute in the deb repo is the key used to sign debian unofficial repository release files. This
keyis not on keyserver because it does not meet the above requirements. 

Having the key on a keyserver helps getting the pub keys rapidly as people first think the key is available on a
keyserver(?).

Thanks for teaching me,
Raphaël

On Fri, 03 Dec 2004 16:21:42 +0000, blacknoz wrote:

> Why don't you /simply/ upload your key to a keyserver?

I should and I will, some day, when I get around to it (my older keys
were also on keyservers). But I'm not very fond of keyservers; there seems
to be several, uncoordinated key server projects and it's not clear where
to go. Also: There is no way to revoke a key if you don't haven't prepared
for revocation. Yes, one _should_ prepare for revocation, but that might
not be clear to the beginner (like it wasn't clear to me when I started
using PGP), so the keyservers slowly become cluttered with useless public
keys (like my first key for which I forgot the pass phrase).

At any rate, in my opinion, people should be able to use RPM signature
verification of the files distributed by pgadmin without having to use
key-servers. Thus, it's still relevant that downloaders are somehow
instructed in how to get the needed keys for RPM verification.

> To me, gpg signing is efficient if (at least):
[...]
I find GPG signing nice and efficient even though all those requirements
might not be true. First and foremost, it lets me use ftp mirrors with
more confidence. I try to never get software from mirrors unless it's
signed. And gpg-signed files are easier to use than MD5 sums if you
already have the relevant public keys in your keyring (especially when
using RPMs which often have the signature embedded).

About the many public key distribution and verification issues: Yes, it's
complicated and in a perfect World, we would sign each others' keys after
having seen picture ID, etc., but I basically like the following property:

Case 1:

1. I import the public key of software distributor X at time
   t.
2. Distributor X's web-site and distribution channel is compromised
   at time t+1.
3. I grab an update at time t+2 and notice that something's wrong.

Case 2:

1. Distributor X has their systems compromised at time t.
2. I grab there (bogus) public key at time t+1 and
   use it to install all kinds of malware.
3. At time t+2 someone else who had grabbed distributor
   X's original, valid public key some time ago notices that something's
   wrong, and it becomes public news.
4. I can reinstall all my systems. Sucks, but at least
   I got to know.

Case 3 (the really bad one):
Distributor X is compromised for a very short time and keeps it secret. I
happen to grab their public key + software just when this happens. Noone
else notices, so it doesn't become public news. My system is rotten and I
don't know it.
Fortunately, case 3 is not very likely to happen. In the other - more
likely - cases, use of signatures is a win.

> [...]
> - your private key is protected (I mean not on a host on the net)

So whenever I use my key, I have to copy the file to work on to a floppy
disk and carry it to a host which has never been network-exposed? That
doesn't sound very security-promoting to me.

To sum up: I believe that signing of RPMs (and other types of signing) is
of high practical use, and the pgadmin project should make use of it.

--
Greetings from Troels Arvin, Copenhagen, Denmark

> -----Original Message-----
> From: pgadmin-hackers-owner@postgresql.org
> [mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of
> Troels Arvin
> Sent: 03 December 2004 16:58
> To: pgadmin-hackers@postgresql.org
> Subject: Re: [pgadmin-hackers] New ftp layout
>
> On Fri, 03 Dec 2004 16:21:42 +0000, blacknoz wrote:
>
> > Why don't you /simply/ upload your key to a keyserver?
>
> I should and I will, some day, when I get around to it (my
> older keys were also on keyservers). But I'm not very fond of
> keyservers; there seems to be several, uncoordinated key
> server projects and it's not clear where to go. Also: There
> is no way to revoke a key if you don't haven't prepared for
> revocation. Yes, one _should_ prepare for revocation, but
> that might not be clear to the beginner (like it wasn't clear
> to me when I started using PGP), so the keyservers slowly
> become cluttered with useless public keys (like my first key
> for which I forgot the pass phrase).

Ooh, that sounds *so* familiar - that's why there is an invalid
dpage@pgadmin.org key on keyserver.pgp.com that I can't delete!

> At any rate, in my opinion, people should be able to use RPM
> signature verification of the files distributed by pgadmin
> without having to use key-servers. Thus, it's still relevant
> that downloaders are somehow instructed in how to get the
> needed keys for RPM verification.

My key is on the website. It should probably be linked from the hall of
fame (http://www.pgadmin.org/pgadmin3/hall_of_fame.php) but currently is
only linked from the download page.

<snip>

> To sum up: I believe that signing of RPMs (and other types of
> signing) is of high practical use, and the pgadmin project
> should make use of it.

Agreed. I strongly encourage all our packagers to sign their work.

Regards, Dave.

Hi Troels (<- is Troels your firstname or is it Arvin ?),

Troels Arvin wrote:
> On Fri, 03 Dec 2004 16:21:42 +0000, blacknoz wrote:
>
>
>>Why don't you /simply/ upload your key to a keyserver?
>
> I should and I will, some day, when I get around to it (my older keys
> were also on keyservers). But I'm not very fond of keyservers; there seems
> to be several, uncoordinated key server projects and it's not clear where
> to go. Also: There is no way to revoke a key if you don't haven't prepared
> for revocation. Yes, one _should_ prepare for revocation, but that might
> not be clear to the beginner (like it wasn't clear to me when I started
> using PGP), so the keyservers slowly become cluttered with useless public
> keys (like my first key for which I forgot the pass phrase).

Mostly agreed. But that's where I wanted to insist:
key signing is a bit complex from the organisational point of view
although it is technically "simple".
I believe that the upload to a keyserver helps/forces people to do the
things the right way and asking to themselves the good questions:
reading howtos, asking for advices before the first upload and so on...

If people just don't take care about it, they sign files but it's like
they missed all the interest of it... IMHO, thinking being protected by
technical tools is alway a bad thing if you didn't take time to
understand what they do and how you should be organised. Note that I'm
not saying you didn't understand it (reading your mail proves you fully
understand this and surely better than I do).

> At any rate, in my opinion, people should be able to use RPM signature
> verification of the files distributed by pgadmin without having to use
> key-servers. Thus, it's still relevant that downloaders are somehow
> instructed in how to get the needed keys for RPM verification.

Yes, agreed. You are right it may be interesting to distribute a keyring
/ text file with all our public keys.


>  And gpg-signed files are easier to use than MD5 sums if you
> already have the relevant public keys in your keyring (especially when
> using RPMs which often have the signature embedded).

easier and especially with two different goals...

> <snip>
>
>>[...]
>>- your private key is protected (I mean not on a host on the net)
>
>
> So whenever I use my key, I have to copy the file to work on to a floppy
> disk and carry it to a host which has never been network-exposed? That
> doesn't sound very security-promoting to me.

No, I was refering to the 10th point of the key signing party howto [1]
where it is adviced to not permanently leave your .gnupg (or whatever
pgp software pub/priv key file you use) on a host accessible from the net.


> To sum up: I believe that signing of RPMs (and other types of signing) is
> of high practical use, and the pgadmin project should make use of it.

Did I tell I was against that? IIRC I was one of the first people to ask
  Dave to sign the source tarballs. I was just underlying that it should
be done with all security concerns in mind.

Thank you for your answer, it was nice to learn why some of us don't use
keyservers. I'll think of it twice in the future. :)

Regards,
Raphaël
1. http://www.cryptnet.net/fdp/crypto/gpg-party.html