Re: Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 16 June 2010 02:23, Allan McRae <allan@xxxxxxxxxxxxx> wrote:

> Just to clarify the build process that goes on here:
>
> 1) make a clean chroot (mkarchroot - only needs done once)
> 2) build package in chroot (makechrootpkg)
> 3) upload package to staging area and commit to svn (e.g. testingpkg)
> 4) release package on master server adding it to repo (e.g. db-testing)
>
> Note, no remote build server....
>
> The current code allows:
>  - Signing a package at the end of a build
>  - Adding the package signature to the repo-db
>  - pacman checking that signature
>
> The question remains if/how to signing the repo db.
>
> Options:
>  - do not sign the repo-db
>  - sign the repo-db with a key kept on the remote server
>  - transfer the repo-db locally and sign the reupload (alternatively, sign
> a hash).
>
> Why exactly is the repo-db needing signed?  There is a risk that a mirror
> could keep updating except for select packages that have exploitable
> vulnerabilities in them.  That would be prevented by repo signing as the
> mirror would have to update all packages or none.  The argument that anybody
> could just add or replace packages is incorrect as there either would not be
> a signed package added or it would be signed with a non-trusted signature.
>  I believe there is an option for pacman to enforce package signing for a
> given repo so I do not see the risk there.
>
> Signing directly on the remote server is also probably not the best idea.
>  We know our server has been attacked in the past, so leaving the key to
> sign the repo database on there is stupid...
>
> The repo db sizes are small so transfering them to be signed, and
> transfering the signature back should be relatively quick.  Even quicker
> once we can convert them to .xz compression (patch already available the
> release after next).  I think that could be implemented by moving the
> package release (step 4 above) to occur on the developers local machine
> rather than on the remote server as that would require ssh access only from
> the developers machine to the master server and not the other way around.
> That seems more in the realm of devtools/dbscripts requiring changes that
> makepkg/pacman.
>
> Allan
>

OK so... Allan, your email makes me realize that I may be using the "wrong"
building method.

Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
page <http://wiki.archlinux.org/index.php/Pacbuild> ? Because some of these
scripts point to the old "current" repository we used years ago. And if I
understand it right, they don't really fit with what you just said.

I guess the current way of building packages involves the devtools package
right?

Guillaume


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux