[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 15:53:23 UTC 2012


On Thu, May 10, 2012 at 5:42 PM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
> a) Developers don't generally know the download URLs themselves.
>
> b) Even when the URLs are known, there are some places that use weird
> download methods that don't particularly like the specific ways wget is
> used by the PM, and we need to know that.

Hmmm. Hmm. Hmmm.

IDEA!

a) sha1s are fairly unique for most purposes
b) if implemented, the package manager will no doubt have functions to
parse DOWNLOADS to get a data structure of url--file
--hash-method--hash-value.

So, there could be a simple developer tool that:

a) looks at the mapping of sha1s in DOWNLOADS
b) fetches the new files
c) (Have you verified the upstream fingerprints like a responsible
developer? [y/N]  y )
d) hashs the new files
e) does a simple find and replace on the exheres:
    sed -i s/old-sha1/new-sha1/g'
   for each file in DOWNLOADS.




> c) Even when the URLs are known and when we know the mirrors are fine,
> some packages have an awful lot of downloads. Developers don't
> typically fetch these by hand because it's too much of a pain.

Well hopefully they're verifying fingerprints against upstream's public keys...



More information about the Exherbo-dev mailing list