[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 12:36:14 UTC 2012

On Thu, May 10, 2012 at 10:42 AM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
> Just FYI, package signing as provided by Gentoo doesn't give any
> security benefits.
>> - Gentoo's manifest files:
> And also they don't provide any security, only error detection.

They provide limited security. Assuming Gentoo devs manually check
their tarballs' integrity before running ebuild manifest, it means
that if you wanted to trojan a Gentoo package, you'd have to own both
a distfile mirror and an rsync mirror (or cvs master). But this is
beside the point, because what I was referring to would be a similar
setup of manifest files for Exherbo's git repo system, and that way
the integrity of the manifest files themselves would be given by git's
own crypto. Nonetheless, I'm not fully advocating the use of manifest
files right now, as I sense there's a general community-wide repulsion
to them.

>> We add a global variable like DOWNLOADS to exheres called CHECKSUMS:
> The problem with this is that there needs to be a clean, sensible way
> to generate it. Bear in mind that some packages have hundreds of files
> to download, and that their names are created programatically.

Can you name an example of a package that does this? I'd be curious to
see what the skinny is. But before looking at that, one immediate
solution that occurs to me is that the CHECKSUMS file name could
actually be a directory name that's created in distfiles for such
files, and there would be a single checksum of the {sorted}
concatenation of all files. Or something similar.

> If we were doing it this way, it would be in the package mangler, and
> not done as a phase function.

Excellent, yes, okay. I had hoped that you would chime in about the
various implementation details. Package mangler - you know best.

> I think you're underestimating the impact on workflow. The only way
> this works is if it's not a huge pain in the ass for developers to use.
> That's what's stopped us from doing something in the past.

Well the general workflow of verifying a tarballs fingerprint using
upstream's provided method (maybe the project maintainer releases his
public key, etc) should be second nature to any developer who doesn't
_deserve_ to be trojan'd. So the additional step and impact on
workflow, I suppose, is adding the hash to the exheres, which I
imagine would look something like:

Single file:
$ sha1sum openssh-6.0p1.tar.gz

Directory idea above:
$ cat foobar-files/* | sha1sum

And then pasting in the exheres. Doesn't sound so bad to me. What
hassles do you suppose I'm overlooking?

More information about the Exherbo-dev mailing list