[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Thu May 10 15:02:51 UTC 2012


On Thu, 10 May 2012 14:36:14 +0200
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> >> - Gentoo's manifest files:
> > And also they don't provide any security, only error detection.
> 
> They provide limited security.

There's no such thing as "limited security".

> Assuming Gentoo devs manually check their tarballs' integrity before
> running ebuild manifest, it means that if you wanted to trojan a
> Gentoo package, you'd have to own both a distfile mirror and an rsync
> mirror (or cvs master).

No, you'd only have to get an rsync mirror.

> >> We add a global variable like DOWNLOADS to exheres called
> >> CHECKSUMS:
> >
> > The problem with this is that there needs to be a clean, sensible
> > way to generate it. Bear in mind that some packages have hundreds
> > of files to download, and that their names are created
> > programatically.
> 
> Can you name an example of a package that does this? I'd be curious to
> see what the skinny is. But before looking at that, one immediate
> solution that occurs to me is that the CHECKSUMS file name could
> actually be a directory name that's created in distfiles for such
> files, and there would be a single checksum of the {sorted}
> concatenation of all files. Or something similar.

cave print-id-metadata --raw-name DOWNLOADS -b vim::/?

> > I think you're underestimating the impact on workflow. The only way
> > this works is if it's not a huge pain in the ass for developers to
> > use. That's what's stopped us from doing something in the past.
> 
> Well the general workflow of verifying a tarballs fingerprint using
> upstream's provided method (maybe the project maintainer releases his
> public key, etc) should be second nature to any developer who doesn't
> _deserve_ to be trojan'd. So the additional step and impact on
> workflow, I suppose, is adding the hash to the exheres, which I
> imagine would look something like:
> 
> Single file:
> $ sha1sum openssh-6.0p1.tar.gz
> f691e53ef83417031a2854b8b1b661c9c08e4422
> 
> Directory idea above:
> $ cat foobar-files/* | sha1sum
> e7e2a2d0b22bfd51da771f1b1a5095bfadbaa829
> 
> And then pasting in the exheres. Doesn't sound so bad to me. What
> hassles do you suppose I'm overlooking?

How does that fit in with the standard workflow?

http://ciaranm.wordpress.com/2010/11/28/exherbo-development-workflow-version-2/

Bear in mind that people might be working on dozens of packages all in
one go.

-- 
Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120510/f5cf10f7/attachment.asc>


More information about the Exherbo-dev mailing list