On Tue, Jul 21, 2015 at 8:54 PM, Allan McRae wrote:
I searched the archives, but I can not find why we stored the package
PGP signatures base64'd in the repo database rather than downloading
them as needed. Signatures are responsible for ~55% of the Arch repo
database size, so I am guessing there must have been a tradeoff.
Can anyone provide insight to this? It was 2008...
2008 or 2011? I see this being read first in commit 39ce9b3afc6. The
commit to scripts is authored earlier, but committed much later.
Doesn't really matter I suppose. :)
I can't be certain what my thinking was, but I can think of a few
possible reasons. Not sure of their validity, but:
1) Fewer downloads necessary when installing/upgrading. FTP was still
a thing at the time, and it was super-slow by comparison to HTTP on
grabbing more files given the way the protocol works.
2) If/when signing databases is a thing, you want to sign the whole
database so you can have end-to-end tamper detection. Else anyone
could drop a different 'pacman-4.2.1-1' signed package in place, and
you wouldn't be able to tell the difference. If I feel confident
signing a database, I should feel confident you can't change what that
database refers to. With that said, there are checksums in here too,
so you couldn't really do this, but we don't currently run the
checksum verification if we do signature verification. This could
change.
3) When I started work on all this, I had it in my head that
signatures were relatively small, so it made sense to inline them.
Mine are only 72 bytes, for instance, while other packagers are much
longer. Modern keys generate 287 or 543 byte signatures, which are 8
times larger than I originally thought. [1]
More random stuff:
* https://wiki.debian.org/SecureApt looks like Debian only signs the
DB, and then from there, it uses the checksums to verify the packages.
Hope that helps.
-Dan
[1]
archweb=# select avg(length(signature_bytes)) as len, packager_str
from packages group by packager_str order by 1;
len | packager_str
-----------------------+----------------------------------------------------------
71.9500000000000000 | Juergen Hoetzel
71.9789473684210526 | Martin Wimpress
72.0000000000000000 | Massimiliano Torromeo
72.0000000000000000 | Dan McGee
72.0000000000000000 | Fabio Castelli (Muflone)
87.9600000000000000 | Thorsten Töpper
95.9898648648648649 | Gaetan Bisson
96.0000000000000000 | Guillaume ALAUX
286.9230769230769231 | Alexandre Filgueira
286.9666666666666667 | Connor Behan
286.9806763285024155 | Balló György
286.9821428571428571 | Maxime Gauduin
286.9827586206896552 | Jonathan Steel
286.9836065573770492 | Ronald van Haren
286.9908256880733945 | Laurent Carlier
286.9911894273127753 | Bartłomiej Piotrowski
286.9922879177377892 | Eric Belanger
286.9945355191256831 | Jan Alexander Steffens (heftig)
286.9946070878274268 | Antonio Rojas
286.9956896551724138 | Andreas Radke
286.9966499162479062 | Evangelos Foutras
286.9968454258675079 | Jan de Groot
287.0000000000000000 | Daniel Isenmann
287.0000000000000000 | Lukas Jirkovsky
287.0000000000000000 | Tom Gundersen
287.0000000000000000 | Christian Hesse
287.0000000000000000 | Dicebot
287.0000000000000000 | Giovanni Scafora
287.0000000000000000 | Kyle Keen
287.0000000000000000 | speps
287.0000000000000000 | Bartłomiej Piotrowski
287.0000000000000000 | Jonathan Steel
287.0000000000000000 | Pierre Schmitz
287.0000000000000000 | Михаил Страшун
287.0000000000000000 | Christian Hesse (leda.eworm.de)
287.0000000000000000 | Andrzej Giniewicz
287.0000000000000000 | Jelle van der Waa
287.0000000000000000 | Ionut Biru
287.0000000000000000 | Bartłomiej Piotrowski
287.0000000000000000 | schuay
287.0000000000000000 | Daniel Wallace <danielwallace at gtmanfred dot com>
287.0000000000000000 | Alexander F Rødseth
287.0000000000000000 | Gerardo Exequiel Pozzi
287.0000000000000000 | Allan McRae
287.0000000000000000 | Maxime Gauduin
287.0000000000000000 | Andrea Scarpino
287.0000000000000000 | Angel Velasquez
287.0000000000000000 | Alexander Rødseth
287.0000000000000000 | Timothy Redaelli
287.0000000000000000 | Tobias Powalowski
287.0000000000000000 | Rashif Rahman (Ray)
287.0000000000000000 | Dave Reisner
386.9024390243902439 | Unknown Packager
538.9859813084112150 | Sébastien Luttringer
542.9722222222222222 | Levente Polyak
542.9867109634551495 | Anatol Pomozov
542.9946476360392507 | Felix Yan
542.9985337243401760 | Felix Yan
542.9987021414665801 | Sergej Pupykin
543.0000000000000000 | Rémy Oudompheng
543.0000000000000000 | Jaroslav Lichtblau
543.0000000000000000 | Thomas Bächler
543.0000000000000000 | Jaroslav Lichtblau
543.0000000000000000 | Lukas Fleischer
543.0000000000000000 | Florian Pritz
543.0000000000000000 | Lukas Fleischer
543.0000000000000000 | Evgeniy Alekseev
543.0000000000000000 | Thomas Dziedzic
543.0000000000000000 | Xyne
543.0000000000000000 | Sven-Hendrik Haase
543.0000000000000000 | BlackEagle <ike DOT devolder AT gmail DOT com>
543.0000000000000000 | Evgeniy Alekseev
543.0000000000000000 | Jaroslav Lichtblau
543.0000000000000000 | Daniel Micay
639.0000000000000000 | Jerome Leclanche
1055.0000000000000000 | Johannes Löthberg
(76 rows)