-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: 6908 add tarball verification docs v1 #11051
Conversation
Ticket: OISF#6908 Signed-off-by: jason taylor <jtfas90@gmail.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11051 +/- ##
==========================================
+ Coverage 80.63% 83.67% +3.03%
==========================================
Files 922 922
Lines 250137 250321 +184
==========================================
+ Hits 201699 209453 +7754
+ Misses 48438 40868 -7570
Flags with carried forward coverage won't be shown. Click here to find out more. |
Installing from the source distribution files gives the most control over the Suricata installation. | ||
|
||
The Suricata source tarballs should be verified before building the source, see | ||
:doc:`source-verification` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use common naming here? "source distribution" or "source tarball"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I hadn't paid attention to the previous lines, will update to match in the next PR. Any preference on wording?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a big fan of "tarball" in official documentation. I prefer "archive" or "distribution archive", etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright will get that updated/reworked, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: missing the period.
Downloading the sig File | ||
~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
The sig file needs to be downloaded as well as the tarball. Both files can be | ||
found at `<https://suricata.io/download/>`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"signature" is how refer to it on the download page, should match I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will update in next PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some of the errors from the CI are doc building or dist check complaints.
/__w/suricata/suricata/doc/userguide/index.rst:6:toctree contains reference to nonexisting document 'source-verification'
(e.g. https://github.com/OISF/suricata/actions/runs/9019965517/job/24784406162?pr=11051#step:11:1108)
My only initial guess is that maybe that empty line before the chapter title makes some distros unhappy? Or there's something else I can't see.
Installing from the source distribution files gives the most control over the Suricata installation. | ||
|
||
The Suricata source tarballs should be verified before building the source, see | ||
:doc:`source-verification` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: missing the period.
@@ -0,0 +1,83 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove empty line
The other failures are related to: #11041 |
Importing the OISF Signing Key | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
Once both the sig file and suricata tarball files are obtained, the OISF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: consistent usage of Suricata, please? :)
To verify the contents of the Suricata tarball the following command should be | ||
ran:: | ||
|
||
$ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering how literal some interpretations can be, I think it's worth mentioning that the proper Suricata version should match with what they have installed, in their command-run.
Or maybe rephrase to indicate "To verify the Suricata-7.0.5 distribution archive, for instance, you could run"
|
||
This indicates that the OISF signing key was imported and the signatures are | ||
valid, but either the keys have not been marked as trusted OR the keys are | ||
possibly a forgery. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add what could be done in this case? Don't trust the package, or reach out to us to let us know? Which would be the best channel for that? info@oisf.net?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, what about something like "If there are questions regarding the validity of the downloaded file, the OISF team can be reached via any of the methods at https://suricata.io/our-story/contact/" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's best if we point to something specific, to reduce friction. Not sure if this would be considered a security issue. If so, they could write to security@oisf.net (cf https://github.com/OISF/suricata/blob/master/SECURITY.md). If not, maybe the contact e-mail: info@oisf.net
continued in #11111 |
If anyone by any change arrives here, the solution was actually to add the new file to the Makefile.am, as suggested by Jeff (cf #11111 (comment)) |
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6908
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/N
whereN
is thepull request number.
Alternatively,
SV_BRANCH
may also be a link to anOISF/suricata-verify pull-request.