On 04/03/2014 02:29 PM, Miroslav Suchý wrote:
On 04/03/2014 03:46 AM, Toshio Kuratomi wrote:
I saw that this got voted on in the meeting even though it didn't get
recorded as such for the meeting minutes. The proposal seemed to be:
use obs-sign to sign packages. That's not actually a proposal that we
can approve here. The proposal here should probably be: "is signing
of packages a blocker for making the playground repo, nice to have, or
optional?"
In terms of how to get the packages signed, that's something that the
infrastructure team has to decide. IIRC past conversations correctly,
adding another signing server (meaning a different code base) to
infrastructure is at the bottom of their list of ways to sign packages
in copr (and by extension in the playground repo).
When I saw the vote in the meeting logs I mentioned it to nirik. In
turn he told me that he hadn't heard anything about this and had only
glanced briefly at obs-sign (mentioning that it wasn't even packaged
for Fedora yet). As I related to tjanez on IRC today, I think lack of
packaging probably slows down infra's ability to deploy it but is only
a foottnote to the real problems. Compromising signing servers and
gaining access to the private keys on them is a very high value target
for an attacker. The more signing servers we have the greater the
attack surface infrastructure has to protect. probably in the ideal
scenario infra would run a single signing server and everything
needing signing would be sent to that. (Jesse Kating had that use in
mind when he designed sigul but I don't know if that design goal
actually became part of the software that we are currently running).
A step down from there might be running multiple instances of the same
signing software to handle the various needs as infra would then have
to protect the keys on these multiple hosts. At the bottom of the
list is running separate signing software as that places the
additional burden of auditing and protecting the software stack of the
multiple signing servers.
For whoever is going to approach infra about signing the packages in
copr it probably makes more sense to either talk about enhancing sigul
to work with copr or getting obs-sign to be able to sign packages from
koji. We'd probably also want to ask bressers or someone else from
the security team to do some sort of evaluation of the code bases that
we're looking at.
That would be probably me. I mean the guy who will be implementing
signing of packages in Copr.
I investigated several possibilities and talked to several people. But
you are correct that I did not send conclusion to mailing list yet.
Maybe it is right time to do it now.
One of the guy to who I talked to is Miroslav Trmac, who is current
maintainer and main author of Sigul since 2009.
The conclusion from discussion with him is that:
* we would need need different instance, because to use the same
instance for main distribution and for relaxed ring (Copr,
Playground...) is not best idea. Neither from security POV nor for
technical implementation. (*)
* we would need to do some development of Sigul before deploying new
instance
* and we would likely should migrate to gpg2 (from gpg1)
* Sigul have very restricted network setup, which is probably not needed
for Copr
On the other hand obs-sign:
* is actively maintained
* is more simple
* used in OBS as well (which mean community and so on)
* have security model and network setup good enough for Copr (I arranged
meeting of Adrian Shröter from OBS and Mirek Trmač during DevConf.cz
where they discussed technical details and none of them seen any blocker).
Yes, obs-sign is not packaged for Fedora (yet), but the spec exists and
I can get it in Fedora withing week. I do not see that as problem.
If I sum it up, then obs-sign is clear winner to me. Therefore this is
the way I would like to go in Copr.
But it still does not bubble up in my TODO list. So we have plenty of
time for discussion :)
(*) You suggested that having one signing server is better as "The more
signing servers we have the greater the
> attack surface infrastructure has to protect." I disagree.
First: it is not technical possible. Because Koji and current Sigul is
in different networks and I'm not sure if we want to change it. Likely not.
Second: if you compromise Copr signing server then you have compromised
main distribution. Therefore even from security POV is better to have
different signing server for main distribution and for Copr.
The summary of Mirek's notes was for a long time in Open Questions
section [1]. I removed it yesterday, because it was voted for obs-signd.
Mirek is member of infra, so I leave the discussion up to him.
[1]
https://fedoraproject.org/wiki/Env_and_Stacks/Playground_repository_%28draft%29#Open_Questions
Marcela
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
