Hi,
TL;DR: release tags should be GPG signed, to allow for downstream source
verification.
Upstream Ceph releases are currently tagged in Git by the Jenkins Build
Slave User following successful testing. Since v11.0.0/v10.0.5/v0.94.3,
these tags have not been GPG signed, so downstream consumers have no
reliable way of verifying that the source they have matches the reviewed
and tested upstream release source.
Release announcements also (AFAICT) make no mention of the tag's
corresponding SHA-1 commit hash.
IMO, failing to offer users/packagers a means of verification places too
much trust in Github[1], and could again lead to an incident similar in
severity to the previous ceph.com / download.inktank.com intrusion[2]
detected in 2015.
To address this, I propose that:
- *All* future upstream releases tags and tarballs are GPG signed by the
release manager.
- The signing key used by the release manager is signed by Sage's GPG
key, and / or keys of other Core Team members.
- The public key is available on Ceph.com.
- Downstream users / packagers are instructed to verify their sources.
Any thoughts?
Cheers, David
1. Github Security Vulnerability (2012)
https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation
2. ceph.com / download.inktank.com intrusion (2015)
http://ceph.com/releases/important-security-notice-regarding-signing-key-and-binary-downloads-of-ceph/
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
