[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal
Jason A. Donenfeld
Jason at zx2c4.com
Thu May 10 17:15:22 UTC 2012
On Thu, May 10, 2012 at 6:07 PM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
> No parsing bash!
> No parsing bash!
Ahaha okay. You are certainly "right" in a sense, and I won't try
pushing you here.
So, status: DOWNLOADS attributes / CHECKSUMS: solution that works
but there might be difficulty in automation. Is automation something
we even want though? Shouldn't devs be checking thumbprints?
That aside, let me advance an alternative solution that might be favorable:
Paludis gains a feature called "hash repos", which is a list of git
repositories which contain a single or multiple files containing file
hashes. The format of the files is:
So, for example:
ALTERNATIVELY, instead of having file or files, we could have a file
for each hash. A git tree would look like:
$ cat ./a/b/ab75baeec32c68144b902b3a7961bd52ee954b3e
And so on, in a git like object manner of storage. Probably this way
is best. It also ensures that all commits to the hash repo can be
The authenticity of the hashes themselves would be provided by git's
natural commit chaining crypto.
Paludis would support multiple sources, so that third parties could
have hash repos too for things not in the Exherbo trees.
The package mangler would hash the distfile, and then look in the
distfile repos for any matches. If it can find a match, great, if it
can't, raise a condition, etc.
The big advantage of this is that we could even have the
exherbo_repositories.tar.bz2 file's hash in here too, and each time we
update that, we add another hash entry. Multiple sha1 entries for a
single file name is okay, of course.
Another advantage is that it wouldn't gum up the main repos with
"whoops forgot to update CHECKSUMS", since there'd just be a separate
repo whose only function is to continually accumulate these hashes.
Comments? Suggestions? Improvements?
More information about the Exherbo-dev