[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Thu May 10 15:02:51 UTC 2012

On Thu, 10 May 2012 14:36:14 +0200
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> >> - Gentoo's manifest files:
> > And also they don't provide any security, only error detection.
> They provide limited security.

There's no such thing as "limited security".

> Assuming Gentoo devs manually check their tarballs' integrity before
> running ebuild manifest, it means that if you wanted to trojan a
> Gentoo package, you'd have to own both a distfile mirror and an rsync
> mirror (or cvs master).

No, you'd only have to get an rsync mirror.

> >> We add a global variable like DOWNLOADS to exheres called
> >
> > The problem with this is that there needs to be a clean, sensible
> > way to generate it. Bear in mind that some packages have hundreds
> > of files to download, and that their names are created
> > programatically.
> Can you name an example of a package that does this? I'd be curious to
> see what the skinny is. But before looking at that, one immediate
> solution that occurs to me is that the CHECKSUMS file name could
> actually be a directory name that's created in distfiles for such
> files, and there would be a single checksum of the {sorted}
> concatenation of all files. Or something similar.

cave print-id-metadata --raw-name DOWNLOADS -b vim::/?

> > I think you're underestimating the impact on workflow. The only way
> > this works is if it's not a huge pain in the ass for developers to
> > use. That's what's stopped us from doing something in the past.
> Well the general workflow of verifying a tarballs fingerprint using
> upstream's provided method (maybe the project maintainer releases his
> public key, etc) should be second nature to any developer who doesn't
> _deserve_ to be trojan'd. So the additional step and impact on
> workflow, I suppose, is adding the hash to the exheres, which I
> imagine would look something like:
> Single file:
> $ sha1sum openssh-6.0p1.tar.gz
> f691e53ef83417031a2854b8b1b661c9c08e4422
> Directory idea above:
> $ cat foobar-files/* | sha1sum
> e7e2a2d0b22bfd51da771f1b1a5095bfadbaa829
> And then pasting in the exheres. Doesn't sound so bad to me. What
> hassles do you suppose I'm overlooking?

How does that fit in with the standard workflow?


Bear in mind that people might be working on dozens of packages all in
one go.

Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120510/f5cf10f7/attachment.asc>

More information about the Exherbo-dev mailing list