On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <allan@archlinux.org> wrote:
On 19/06/10 03:45, Denis A. Altoé Falqueto wrote: The signatures are currently placed in the repo-db. So only the repo db needs downloaded and not individual signatures. If an attacker deletes the repo database and its signature, that is probably the least of our issues... There will be many copies of a recent signed database that we can recover all the signatures from.
Hmm, I see. And it is a good idea, indeed. But I've tested two packages (go-openoffice, 130M, and libxfontcache, 8K) to see how this will affect the final size of the database. The size of the signatures was 543 bytes each. So the size of the package will not affect the size of the signatures. What could affect is the key used, given the hash algorithm is the same. My current key has 2024 bits length The table bellow resume the expected increase for each repository: http://pastebin.com/ppfe5dxw Maybe that is acceptable, maybe not. Thinking about it a little, I would not be very glad of having to download almost the same signatures (the ones that didn't change) every time I run pacman -Sy. I believe that just marking if a package is signed inside the repository is enough. Or maybe I've misinterpreted something too.
Another factor to consider is that the signature verification should be optional for each system. I mean, if a user doesn't care about signatures, he should be able to say "pacman, I can't care less about signatures, please". So, I believe that the best place for such information should be in the pacman.conf file, in each repository section. Maybe one cares about signature in one repository but not for another. And we would spread the attack surface for the entire user base, instead of concentrating it only on the server or mirrors.
I thought that this was already implemented.
Good. I am still getting to know the code. Thanks for taking the time to answer. I'm already testing pacman-key and it is working fine. I'll test makepkg and repo-db too, but I believe they are alright. The changes were very little. I've already implemented a function to verify the signatures, in C, using popen to call gpg2. The function was based on a test program I made today, so it is very probably working, at least the basics. On a side note, I discovered a funny thing about apt. They don't use gpgme lib too, but instead call gpgv, a program that just verifies signatures. Looking through its man paage, I learnt that it doesn't respect the web of trust of the keyring (!!!). So, in the end, apt just checks to see if the key is in the keyring (all keys are trustworthy, according to gpgv's manpage) and verifies the file signature. I just didn't have a good feeling about it. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------