[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Thu May 10 08:42:16 UTC 2012


On Thu, 10 May 2012 03:08:21 +0200
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> Exherbo is such a delightfully clean distro, I love having it on my
> server, because I can see how all the moving parts work. It's nearly
> everything I've always wanted fixed from Gentoo. One thing, however,
> that I really do miss from Gentoo is the security provided by package
> signing.

Just FYI, package signing as provided by Gentoo doesn't give any
security benefits.

> - Gentoo's manifest files: This is pretty decent in a lot of ways, but
> lots of developers don't like the patch flow with trying to keep these
> up to date and the various headaches of that. I get the sense there's
> a kind of implicit "we're not doing that way, regardless", based on
> everyone's past experiences, so for all intensive purposes, I'm
> assuming we nix this possibility. Correct me if my presumption is
> silly though.

And also they don't provide any security, only error detection.

> We add a global variable like DOWNLOADS to exheres called CHECKSUMS:
> 
> CHECKSUMS="foobar-1.2.tar.gz -
> sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d barhaz-0.8.tar.bz2 -
> sha1:254c83b354a04b5c06bcb18671f2dcb340ce3165 floradora.patch.xz -
> md5:5d41402abc4b2a76b9719d911017c592 "

The problem with this is that there needs to be a clean, sensible way
to generate it. Bear in mind that some packages have hundreds of files
to download, and that their names are created programatically.

> We define a stage called src_checksum() that runs the checksums on
> everything from DOWNLOADS and all other non git-tree sources, such as
> those brought about in custom ways from src_fetch or src_nofetch, or
> manually downloaded undistributable tarballs, or likewise. I say "non
> git-tree sources", because the patches in
> sys-apps/foobar/files/fix-for-gcc-1.2.patch are already verified by
> item (a) exheres integrity above.
> 
> src_checksum bails if require-checksum-success is set and the checksum
> fails. src_checksum bails if require-checksum-existance is set and the
> CHECKSUMS variable has not yet been defined.

If we were doing it this way, it would be in the package mangler, and
not done as a phase function.

> That said, I don't think this proposal or any others will be
> disruptive at all, and will definitely provide a real world essential
> security improvement.

I think you're underestimating the impact on workflow. The only way
this works is if it's not a huge pain in the ass for developers to use.
That's what's stopped us from doing something in the past.

-- 
Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120510/7e180b5f/attachment.asc>


More information about the Exherbo-dev mailing list