Re: HEADS UP: Source File Verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Petr Pisar wrote:
> On 2019-07-24, Igor Gnatenko <ignatenkobrain@xxxxxxxxxxxxxxxxx> wrote:
> > we've got new section in Packaging Guidelines about verifying upstream
> > sources[0] with GPG. Please use it whenever possible :)  
> [...]
> > [0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification  
> 
> May I know a FPC ticket where this change was discussed and approved?

https://pagure.io/packaging-committee/issue/610

> (1) I don't agree this feature is helpful. If we don't trust ./sources
> file content in dist-git, we cannot trust keyring stored in the the same
> dist-git repository. In other words it only brings another code into
> spec files and build process that consumes resources and can fail.

This objection is answered in the policy itself:

“Although a checksum in the sources file certifies that a file retreived
from the lookaside cache is the one that the packager uploaded, it is
silent on whether the file is what the upstream project released. A
signature by the upstream developers certifies that the source is
identical to what they released. Verifying the signature as part of the
build ensures that packagers don’t forget to verify it.”

> (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}'
> --data='%{SOURCE0}'" command awfully verbose.

The syntax is designed to be easy to remember and self-explanatory to
the reader.

> "%{gpgverify}" defaulting
> to "%{gpgverify 2 1 0}" for single-source packages would provide the
> same functionality with less boiler-plate code.

Everyone who reads that would have to already know that the numbers are
source file numbers. Otherwise they won't understand what “2 1 0” means.
Packagers who are supposed to write it would have to look up the order
of the parameters every time. Named parameters can be given in any
order.

An RPM spec is not a place for golfing. Readable code takes priority
over saving keystrokes.

> Actually augmenting
> %setup macro that would perform the check automatically while user would
> only build-require gnupg2 would be the best option.

As you can see in the ticket, there was an attempt to make it fully
automatic, which was abandoned.

> (3) Recommended way of verifying uncompressed sources means double
> decompression. Decompressing, verifying, and unpacking uncompressed
> archive would be more processor friendly.

This is technically true, and doing that obviously works, though it
takes more of what you called “boiler-plate code”. In practice, I doubt
many upstream projects sign their code that way. It's a bad idea because
it unnecessarily exposes the decompression program to untrusted input.

> (4) Verification of modified archives conflicts with a legal requirement
> that Fedora cannot distribute the unmodified archive.

If what you package is not what upstream released, then obviously you
can't verify it against upstream's signature. If you must remove
something for legal reasons, and you still want to verify the tarball,
then you can sign your modified tarball with your own key.

Björn Persson

Attachment: pgpJwnmbwHENi.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux