Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5 files for every package through a
trusted HTTPS host. Then everyone can query that single host and check if the
package he got from a mirror is safe.
Costs: A little more traffic by serving hash files to everyone plus the cost
of the certificate from a CA. Is the income Arch receives from ads and schwag
enough for such a simple solution?
Let me explain it a bit more:
Pacman downloads package-1.tar.xz from a random mirror.
It then fetches:
https://sums.archlinux.org/exactly/the/same/path/package-1.tar.xz.sha1
Pacman should then know whether the connection to sums.archlinux.org was
tampered, since the certificate is signed from a CA in ca-bundle.crt. So
if the two hashes match, the package is safe (as safe as the archlinux
server...)
That way any type of file can be verified (packages, db files, PKGBUILDs,
patches etc) provided that its cryptographic hash is in that HTTPS host.
Obviously to be able to verify db files, they need a timestamp appended to
them, e.g. core-YYYYMMDDHHMM.tar.gz. That necessary change is perhaps the
most difficult part of this proposal.
If too many small files is a problem, maybe the whole db.tar.gz can be
served (at the cost of a higher bandwidth utilisation).
This solution doesn't use package signing nor a web-of-trust. It simply
piggybacks on the tried and true HTTPS mechanism. Primary advantage is
the lack of complexity which makes it easy to understand and implement.
What do you think?
Dimitris
