On 15 June 2010 16:55, Dimitrios Apostolou <jimis@xxxxxxx> wrote: > On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: > >> On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis@xxxxxxx> >> wrote: >> >>> Moreover, instead of building all packages in the private PCs of >>> developers, >>> I think it is preferable to submit PKGBUILDs to build servers (via web >>> interface maybe) and let the servers do the build + signing + >>> repoupdate... >>> That way if a developer's system gets compromised his packages will stay >>> clean. Of course that needs extra work and equipment, but perhaps we can >>> agree to it as a future target. >>> >> >> Well, in fact, that is the very problem we have. The repository >> database files are created remotely and I think that we should avoid >> signing files remotely. In fact, a dev's machine is less visible than >> the servers of Arch. And sse the response from Ionut too. >> > > Let me just clarify here that by "build server" I mean a machine where > developers have *not* shell access (and in fact almost nobody has), and by > "package signing" I mean signing with a specific archlinux key which is > unknown (the private part) to most devs. Some distros follow that approach > to security. > > What you are proposing is package signing by developer keys, that's a > different approach. I am just bringing up alternatives. > > > Dimitris > > > BTW I don't think that building inside a compromised system is in any way > secure, even if building inside a chroot. > > I think that we should avoid signing files remotely. Is there any precise reason? If it is because "that remote place could be compromised" well any dev computer could be compromized too ! > by "package signing" I mean signing with a specific archlinux key which is unknown (the private part) to most devs. This is what is implemented in this git http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg The diffs I see there (made by Dan and Geoffroy) look good to me. As far as I understand, when a package is built on the (remote) build server, its signature is added to the desc file of the repo and the repo.db.tar.gz is signed itself. When pacman retreives the repo.db.tar.gz, it checks the signatures of this file and then has all packages signatures available in it ! This looks very KISS and elegant to me : no mypackage.pkg.tar.xz.asc lying around in the FTP or (even worse to my opinion) into the pkg tarball. But if you think about using private/public key authentication for devs when submitting packages to the build system then I do agree!