[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Alex Elsayed eternaleye+usenet at gmail.com
Fri May 11 11:01:44 UTC 2012

Alex Elsayed wrote:
> I think a safe way to do it within what I described above might be:
> 1.) Start using mirrors:// a lot more heavily
> 2.) Note (in the exheres?) the public-key fingerprint(s) allowed to sign
> for a distfile, if applicable
> 3.) In the manifest-managing tool, download a statistically significant
> subset (or all) of the mirrors of a given file.
> 4.) Download the upstream checksums and gpg signatures as well, in
> addition to whatever ones we choose to provide.
> 5.) Validate all of the above (cross product of file-mirrors and
> checksums/signatures)
> 6.) If a copy fails any check, mark that mirror as untrusted/blacklisted.
> Refuse to download any distfile from it.
> 7.) Multiplex the list of good mirrors and the checksums/signatures for
> *all* of the downloads of an exheres into a single metalink file. Yes, it
> supports that.
> 8.) On fetch, simply use a metalink client (there are several) to fetch
> them. At least one metalink client supports downloading all files within
> the metalink simultaneously, providing an added benefit of improving
> download speeds.

Just had an idea to make this far more efficient.

3, 4, and 5 get revised as follows:


# If checksums for mirrors a, b, and c disagree with mirror d, this
# would loop twice - once for 'a, b, c, checksums = <checksums>', and
# once for 'd checksums = <checksums>' (except actually a data structure)
# If all checksums agree, this will, of course, only loop once
int found_valid = 0
for (checksum_subsets) {
  while (mirrors not empty) {
    is_valid = check_file()
    if (is_valid) {
      # Metalink splits each file into 'chunks', which have their own
      # checksums. This allows failing a bad mirror without wasting much
      # bandwidth, and makes it unnecessary to download every copy.
    } else {
if (found_valid == 0) {
  error "No valid mirrors for $distfile!"
} else if (found_valid > 1) {
  error "More than one group of mirrors that disagreed about checksums 
validated - both cannot be right. Please include more information to 
identify the valid distfile."

More information about the Exherbo-dev mailing list