[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Guillaume ALAUX guillaume at alaux.net
Tue Jun 15 11:02:23 EDT 2010


On 15 June 2010 16:55, Dimitrios Apostolou <jimis at gmx.net> wrote:

> On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
>
>> On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis at gmx.net>
>> wrote:
>>
>>> Moreover, instead of building all packages in the private PCs of
>>> developers,
>>> I think it is preferable to submit PKGBUILDs to build servers (via web
>>> interface maybe) and let the servers do the build + signing +
>>> repoupdate...
>>> That way if a developer's system gets compromised his packages will stay
>>> clean. Of course that needs extra work and equipment, but perhaps we can
>>> agree to it as a future target.
>>>
>>
>> Well, in fact, that is the very problem we have. The repository
>> database files are created remotely and I think that we should avoid
>> signing files remotely. In fact, a dev's machine is less visible than
>> the servers of Arch. And sse the response from Ionut too.
>>
>
> Let me just clarify here that by "build server" I mean a machine where
> developers have *not* shell access (and in fact almost nobody has), and by
> "package signing" I mean signing with a specific archlinux key which is
> unknown (the private part) to most devs. Some distros follow that approach
> to security.
>
> What you are proposing is package signing by developer keys, that's a
> different approach. I am just bringing up alternatives.
>
>
> Dimitris
>
>
> BTW I don't think that building inside a compromised system is in any way
> secure, even if building inside a chroot.
>

> I think that we should avoid signing files remotely.
Is there any precise reason? If it is because "that remote place could be
compromised" well any dev computer could be compromized too !

> by "package signing" I mean signing with a specific archlinux key which is
unknown (the private part) to most devs.
This is what is implemented in this git
http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg

The diffs I see there (made by Dan and Geoffroy) look good to me. As far as
I understand, when a package is built on the (remote) build server, its
signature is added to the desc file of the repo and the repo.db.tar.gz is
signed itself.
When pacman retreives the repo.db.tar.gz, it checks the signatures of this
file and then has all packages signatures available in it !
This looks very KISS and elegant to me : no mypackage.pkg.tar.xz.asc lying
around in the FTP or (even worse to my opinion) into the pkg tarball.

But if you think about using private/public key authentication for devs when
submitting packages to the build system then I do agree!


More information about the arch-general mailing list