[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Guillaume ALAUX
guillaume at alaux.net
Wed Jun 16 10:48:25 EDT 2010
On 16 June 2010 02:23, Allan McRae <allan at archlinux.org> wrote:
> Just to clarify the build process that goes on here:
>
> 1) make a clean chroot (mkarchroot - only needs done once)
> 2) build package in chroot (makechrootpkg)
> 3) upload package to staging area and commit to svn (e.g. testingpkg)
> 4) release package on master server adding it to repo (e.g. db-testing)
>
> Note, no remote build server....
>
> The current code allows:
> - Signing a package at the end of a build
> - Adding the package signature to the repo-db
> - pacman checking that signature
>
> The question remains if/how to signing the repo db.
>
> Options:
> - do not sign the repo-db
> - sign the repo-db with a key kept on the remote server
> - transfer the repo-db locally and sign the reupload (alternatively, sign
> a hash).
>
> Why exactly is the repo-db needing signed? There is a risk that a mirror
> could keep updating except for select packages that have exploitable
> vulnerabilities in them. That would be prevented by repo signing as the
> mirror would have to update all packages or none. The argument that anybody
> could just add or replace packages is incorrect as there either would not be
> a signed package added or it would be signed with a non-trusted signature.
> I believe there is an option for pacman to enforce package signing for a
> given repo so I do not see the risk there.
>
> Signing directly on the remote server is also probably not the best idea.
> We know our server has been attacked in the past, so leaving the key to
> sign the repo database on there is stupid...
>
> The repo db sizes are small so transfering them to be signed, and
> transfering the signature back should be relatively quick. Even quicker
> once we can convert them to .xz compression (patch already available the
> release after next). I think that could be implemented by moving the
> package release (step 4 above) to occur on the developers local machine
> rather than on the remote server as that would require ssh access only from
> the developers machine to the master server and not the other way around.
> That seems more in the realm of devtools/dbscripts requiring changes that
> makepkg/pacman.
>
> Allan
>
OK so... Allan, your email makes me realize that I may be using the "wrong"
building method.
Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
page <http://wiki.archlinux.org/index.php/Pacbuild> ? Because some of these
scripts point to the old "current" repository we used years ago. And if I
understand it right, they don't really fit with what you just said.
I guess the current way of building packages involves the devtools package
right?
Guillaume
More information about the arch-general
mailing list