On Wed, Apr 28, 2010 at 3:30 PM, Florian Pritz <bluewind@server-speed.net> wrote:
On 28.04.2010 19:18, Denis A. AltoƩ Falqueto wrote:
I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature is discarded and a new one is made, with an official Arch key.
If you do it that way you wouldn't have to sign the uploaded packages.
I'd publish a list of developers' keys and the user has to add and trust (in GPG terms) those keys. If he trusts them pacman installs packages singed by those keys or keys that can be trusted because they have been signed by them (GPG's web of trust). Otherwise if the (untrusted) sig can be verified pacman could ask and if the sig is broken it could abort.
If you do it that way you can also add URLs to binary packages to the AUR and let pacman download them if you trust the sig.
Your suggestion is similar to Daenyth`s (for what I understand), so I will comment on both together. The central point is the management of the keyring. We could have a single key that all developers share, but this is troublesome as it would require some trusted channel to exchange the password (the first time and in the event of it changing). This approach is what others big distributions do, but the have a different structure than ours. We could have a keyring with all the trusted keys of the developers, but this could bring some problems as the keyring should be very well synchronized with the official one. Including a rule to upgrade the keyring package before others, as pacman. This requires intervention on user`s systems, so I think that it should be avoided, if possible. My idea tries to give the best of both worlds. The management of trusted devs would be made by a few admins and users would just be exposed to an official Arch key that would change just a few times, if it is not compromised. One weak point is the passphrase for the Arch key. It should not be handed over to every dev [1] and should not be used in command line scripts parameters or the cron job. It can be stored in some secure file and applied with gpg`s --passphrase-file <filename> or --passphrase-fd <file descriptor>. So, the effective user of the script would have access to read the passphrase file, but the real user would not. Maybe this is a little overkill, but C&C are very welcome :) [1] Maybe I`m just too paranoid with the dev team, but I don`t think that all of them should have the passphrase (if I were a dev, I wouldn`t want to have it). We have seem the group expanding and losing components. No offence intended. -- ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------