Upstream Software Releases

[xnox]

• January
  • Nothing yet
• February
  • Glibc
  • Go
• March
  • Java
  • LLVM
• April
  • OpenSSL
• May
  • GCC
• June
  • Nothing yet
• July
  • Nothing yet
• August
  • Glibc
  • Go
• September
  • Java
  • LLVM
• October
  • Python
  • OpenSSL
• November
  • PHP
  • .NET 9 November 2024
• December
  • Ruby Merry Rubymas

Know-how

How to to land these transitions?
When/how to EOL things?

[pboling]

With regard to Ruby, and Rubygems, I received a question from a Wolfi contributor over here: https://gitlab.com/oauth-xx/version_gem/-/issues/3. It took me a long time to respond, and now I fear the submitter doesn't use GitLab enough to see my response. I need to know if building signed Rubygems without signing them is intentional. It sounds very much like the antithesis of the whole project for a secure software supply chain, but I admit I don't know much about the specifics of how you build the distro.

More generally I'd love to understand if it is a good approach to allow a signed gem to be built without signing. Is that a good idea, in general? It doesn't seem hard to have a signing key such that signed gems could be signed by the distro when built, thus proving the provenance.

[kaniini]

Wolfi signs at the package (apk) level and provenance is proven through the apkdb. This is pretty standard way for distributions to distribute things, including ruby gems.

I don’t know of a single distribution which bothers with signing content outside of the system package manager because it’s redundant: the gems included with distributions are only meant to be used in the context of that distribution’s package ecosystem.

[pboling]

Great! I'll make it optional!

[xnox]

@pboling please start new discussions, this thread is meant for the calendar of regular upstream releases only; and not a general discussion. Thanks!

I will try to fork/move this into a separate topic, if I figure out how to do this.