On Sat, Nov 29, 2008 at 7:48 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Hi all,
at first: it is really great that the number of mirrors is increasing and I am really thankfull to those who provide one.
The point why I feel more and more uncomfortable is that we have no way to ensure tat one will get the same file from a mirror as from archlinux.org. A mirror owner might be a "bad" person himself, his servers might have weak security, the government of their home country cannot be trusted, they might sync from another "bad" mirror. etc...
Of course since several years demand package signing. I have even seen some first code, but nothing was ever finished. It should be clear that something has to be done. Manipulating packages is just too easy.
The simplest solution would be if we sign the db files (automatically) on gerolde. Of course this is less secure than signing every single package by its packager; but on the other side it would be easy to implement and there would be no overhead for packagers. I am aware that this method would only ensure that packages on a mirror are the same as on gerolde; if our server gets "hacked" we would have lost. But this should be fine and is far more better than just nothing and hoping that there are no "bad guys" out there.
Gerhard has written a small patch as a proof of concept. Ignore the details at this point. The idea is as follows: 1) patch repo-add in order to create a .sig file everytime the db file will be changed. For this a private key readable by every dev or just sudo can be used 2) use this version of repo-add on gerolde. So we'll have the sinatures propagated to our mirrors. 3) For testing the whole thing one could just write a small download script which checks the signatures of db files. (Abusing the XferCommand statement in pacman.conf) 4) If all went well we could think about a build-in check in pacman itself. (we might be able to reuse some code here that was written for package signing) 5) Enable those checks by default for all official repos 6) The public key should not be in a package but people have to get it from our website.
What do you think about this? Step 1 to 3 could be implemented in a rather short time.
Pierre
There's too much talk on this idea. Before we go ahead and do this, could someone submit this patch to the pacman-dev list, so the pacman developers can give it a once-over. Just make sure to let them know that this is a temporary solution. Additionally - where will gpg get the key from on gerolde? Shouldn't this be configurable, or even set via an optarg to the -s param?