Re: [arch-general] [arch-dev-public] todo list for moving http -> https sources
On Mon, 31 Oct 2016 15:19:40 +0100 NicoHood <arch-dev@nicohood.de> wrote:
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays
Not a dev, here, but... I strongly think that source integrity should not rely on hash functions alone. makepkg already includes validation of PGP-signed sources, but it's perhaps not reasonable to expect every upstream to offer signed sources. As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums. Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array? ~Celti
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array?
That is literally a _completely_ different topic that addresses _completely_ different areas. You are speaking about authenticating the build scripts itself. That does not solve _anything_ at all what this thread/topic/todo-list is about. Don't get me wrong: I don't judge about it at all, I'm just saying that both are fully independent from each other and you should please open a new thread if you want to discuss this rather then hijack this thread :) cheers, Levente
On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx@archlinux.org> wrote:
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array?
That is literally a _completely_ different topic that addresses _completely_ different areas. You are speaking about authenticating the build scripts itself. That does not solve _anything_ at all what this thread/topic/todo-list is about.
Don't get me wrong: I don't judge about it at all, I'm just saying that both are fully independent from each other and you should please open a new thread if you want to discuss this rather then hijack this thread :)
cheers, Levente
Yes, these are two totally different subjects: "Encourage the use of PGP signatures in our `source`" and "Using HTTPS on our `source`". Let's stick to the original subject :) I am all in favor of a script to turn `http` into `https` when available. Yeah HTTPS "brings a false sense of security" but still it hardens a link in the build process. Sorry for your caches guys, I might miss some background here but I couldn't imagine any reason to go against adding some more security in our build process.
On Mon, Oct 31, 2016 at 2:18 PM, Guillaume ALAUX <guillaume@archlinux.org> wrote:
On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx@archlinux.org> wrote:
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array?
That is literally a _completely_ different topic that addresses _completely_ different areas. You are speaking about authenticating the build scripts itself. That does not solve _anything_ at all what this thread/topic/todo-list is about.
Don't get me wrong: I don't judge about it at all, I'm just saying that both are fully independent from each other and you should please open a new thread if you want to discuss this rather then hijack this thread :)
cheers, Levente
Yes, these are two totally different subjects: "Encourage the use of PGP signatures in our `source`" and "Using HTTPS on our `source`". Let's stick to the original subject :)
I am all in favor of a script to turn `http` into `https` when available. Yeah HTTPS "brings a false sense of security" but still it hardens a link in the build process. Sorry for your caches guys, I might miss some background here but I couldn't imagine any reason to go against adding some more security in our build process.
Thanks fnodeuser.
When it comes to security of online update mechanisms and that of an index, TUF has a well designed scheme to be safe regardless of http and plan for eventual leak/theft of signing keys. I'd suggest anyone interest to have a look.
participants (5)
-
Carsten Mattner
-
Diego Viola
-
Guillaume ALAUX
-
Levente Polyak
-
Patrick Burroughs (Celti)