[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 17:15:22 UTC 2012


On Thu, May 10, 2012 at 6:07 PM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
> No parsing bash!
> No parsing bash!

Ahaha okay. You are certainly "right" in a sense, and I won't try
pushing you here.

So, status:   DOWNLOADS attributes / CHECKSUMS:  solution that works
but there might be difficulty in automation. Is automation something
we even want though? Shouldn't devs be checking thumbprints?


That aside, let me advance an alternative solution that might be favorable:

Paludis gains a feature called "hash repos", which is a list of git
repositories which contain a single or multiple files containing file
hashes. The format of the files is:

{sha1sum}{whitespace}{filename}

So, for example:

af75baeec32c68144b902b3a7961bd52ee954b3e  ccid-1.4.5.tar.bz2
c3a590bccbb3e2a6a6bd7d2ed324373f804b8154  ccid-1.4.6.tar.bz2
ee4b540e4897ee6637837a097658305d18345999  cdrtools-3.01a07.tar.bz2
d718a2f93e79d457b391451c4a6ab20968dd1d2a  chakra-gtk-config-1.7.tar.gz
a75cc89411e24b5d39b7869f8233e19f210de555  check-0.9.8.tar.gz
3cda2519a4abdf1b5cb155c66092a12bb1e1d3e2  chktex-1.6.6.tar.gz
e8bcc1d0d8dfec86aa648b87ba3f69b6d589eae0  chromaprint-0.6.tar.gz
0e92d9f052b2d8e519517f9b673ed23c57d5cc3c  chromium-17.0.963.12.tar.bz2
6452ad3992e8665dacfc0b4d20056894899e43fd  chromium-18.0.1003.1.tar.bz2


ALTERNATIVELY, instead of having file or files, we could have a file
for each hash. A git tree would look like:

./
  ./a
    ./a/b
         .a/b/ab75baeec32c68144b902b3a7961bd52ee954b3e
...

$ cat ./a/b/ab75baeec32c68144b902b3a7961bd52ee954b3e
ccid-1.4.5.tar.bz2

And so on, in a git like object manner of storage. Probably this way
is best. It also ensures that all commits to the hash repo can be
fast-forwardafied.

The authenticity of the hashes themselves would be provided by git's
natural commit chaining crypto.

Paludis would support multiple sources, so that third parties could
have hash repos too for things not in the Exherbo trees.

The package mangler would hash the distfile, and then look in the
distfile repos for any matches. If it can find a match, great, if it
can't, raise a condition, etc.

The big advantage of this is that we could even have the
exherbo_repositories.tar.bz2 file's hash in here too, and each time we
update that, we add another hash entry. Multiple sha1 entries for a
single file name is okay, of course.

Another advantage is that it wouldn't gum up the main repos with
"whoops forgot to update CHECKSUMS", since there'd just be a separate
repo whose only function is to continually accumulate these hashes.

Comments? Suggestions? Improvements?



More information about the Exherbo-dev mailing list