On Tue, Apr 1, 2014 at 6:39 AM, Marcela Mašláňová <mmaslano@xxxxxxxxxx> wrote: > > * Open Questions - Playground: Signing (mmaslano, 12:04:12) > I saw that this got voted on in the meeting even though it didn't get recorded as such for the meeting minutes. The proposal seemed to be: use obs-sign to sign packages. That's not actually a proposal that we can approve here. The proposal here should probably be: "is signing of packages a blocker for making the playground repo, nice to have, or optional?" In terms of how to get the packages signed, that's something that the infrastructure team has to decide. IIRC past conversations correctly, adding another signing server (meaning a different code base) to infrastructure is at the bottom of their list of ways to sign packages in copr (and by extension in the playground repo). When I saw the vote in the meeting logs I mentioned it to nirik. In turn he told me that he hadn't heard anything about this and had only glanced briefly at obs-sign (mentioning that it wasn't even packaged for Fedora yet). As I related to tjanez on IRC today, I think lack of packaging probably slows down infra's ability to deploy it but is only a foottnote to the real problems. Compromising signing servers and gaining access to the private keys on them is a very high value target for an attacker. The more signing servers we have the greater the attack surface infrastructure has to protect. probably in the ideal scenario infra would run a single signing server and everything needing signing would be sent to that. (Jesse Kating had that use in mind when he designed sigul but I don't know if that design goal actually became part of the software that we are currently running). A step down from there might be running multiple instances of the same signing software to handle the various needs as infra would then have to protect the keys on these multiple hosts. At the bottom of the list is running separate signing software as that places the additional burden of auditing and protecting the software stack of the multiple signing servers. For whoever is going to approach infra about signing the packages in copr it probably makes more sense to either talk about enhancing sigul to work with copr or getting obs-sign to be able to sign packages from koji. We'd probably also want to ask bressers or someone else from the security team to do some sort of evaluation of the code bases that we're looking at. -Toshio -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
