On Mon, 31 Oct 2016 16:16:21 +0100 Levente Polyak <anthraxx@xxxxxxxxxxxxx> wrote: > On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > > As a middle ground, I think it would be more reasonable (or at > > least, less unreasonable) to modify makepkg to allow signing > > PKGBUILDs, or at least parts of them. For an existing example, > > OpenBSD's signify(1) uses their cryptographic signature system to > > sign a simple list sha256sums. > > > > Perhaps makepkg could include, e.g., a sha256sumsigs array, that > > contains a PGP signature (signed by the developer/TU's official key) > > of the contents (properly serialised by makepkg so there's a minimum > > of possible ambiguity) of the sha256sums array? > > > > That is literally a _completely_ different topic that addresses > _completely_ different areas. > You are speaking about authenticating the build scripts itself. That > does not solve _anything_ at all what this thread/topic/todo-list is > about. It really is not. I am not speaking of authenticating the build scripts; both this thread and my proposal are talking about ensuring the integrity of downloaded source files. Specifically, I am speaking of cryptographically signing the checksums for source files downloaded by the build scripts, so that they download what the author of the build script _intended_ them to download. This is presumably the same reason for ensuring sources are downloaded via HTTPS instead of HTTP, where possible — adding a cryptographic authentication to ensure someone building a package does not get sources without being aware they are modified: only embedding signatures in the PKGBUILD is trusting the Arch devs via the pacman keyring or parallel method, instead of the (flawed) CA system. If there is another reason to switch to HTTPS, please — make me aware of it! Also the very first reply in the thread talked about adding upstream signatures instead of changing the protocol, where possible — only not every upstream offers or _wants_ to offer them, so I proposed, in response to a prompt for discussion on the subject in the mail I quoted, a way to make that feasible. > Don't get me wrong: I don't judge about it at all, I'm just saying > that both are fully independent from each other and you should please > open a new thread if you want to discuss this rather then hijack this > thread :) I really, really don't think they're independent from each other, and as I'm not authorised to post on arch-dev-public and didn't expect to draw this out into a conversation, I simply replied to the thread on arch-general. Bowing to peers, however... et voila: a new thread. ~Celti
Attachment:
pgpFgF5oEiNv2.pgp
Description: OpenPGP digital signature
