[arch-general] ensuring integrity of sources (was: [arch-dev-public] todo list for moving http -> https sources)
Patrick Burroughs (Celti)
celti at celti.name
Mon Oct 31 15:43:19 UTC 2016
On Mon, 31 Oct 2016 16:16:21 +0100
Levente Polyak <anthraxx at archlinux.org> wrote:
> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> > As a middle ground, I think it would be more reasonable (or at
> > least, less unreasonable) to modify makepkg to allow signing
> > PKGBUILDs, or at least parts of them. For an existing example,
> > OpenBSD's signify(1) uses their cryptographic signature system to
> > sign a simple list sha256sums.
> >
> > Perhaps makepkg could include, e.g., a sha256sumsigs array, that
> > contains a PGP signature (signed by the developer/TU's official key)
> > of the contents (properly serialised by makepkg so there's a minimum
> > of possible ambiguity) of the sha256sums array?
> >
>
> That is literally a _completely_ different topic that addresses
> _completely_ different areas.
> You are speaking about authenticating the build scripts itself. That
> does not solve _anything_ at all what this thread/topic/todo-list is
> about.
It really is not. I am not speaking of authenticating the build
scripts; both this thread and my proposal are talking about ensuring
the integrity of downloaded source files.
Specifically, I am speaking of cryptographically signing the checksums
for source files downloaded by the build scripts, so that they download
what the author of the build script _intended_ them to download.
This is presumably the same reason for ensuring sources are downloaded
via HTTPS instead of HTTP, where possible — adding a cryptographic
authentication to ensure someone building a package does not get
sources without being aware they are modified: only embedding
signatures in the PKGBUILD is trusting the Arch devs via the pacman
keyring or parallel method, instead of the (flawed) CA system. If there
is another reason to switch to HTTPS, please — make me aware of it!
Also the very first reply in the thread talked about adding upstream
signatures instead of changing the protocol, where possible — only not
every upstream offers or _wants_ to offer them, so I proposed, in
response to a prompt for discussion on the subject in the mail I
quoted, a way to make that feasible.
> Don't get me wrong: I don't judge about it at all, I'm just saying
> that both are fully independent from each other and you should please
> open a new thread if you want to discuss this rather then hijack this
> thread :)
I really, really don't think they're independent from each other, and
as I'm not authorised to post on arch-dev-public and didn't expect to
draw this out into a conversation, I simply replied to the thread on
arch-general. Bowing to peers, however... et voila: a new thread.
~Celti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161031/952c87b1/attachment.asc>
More information about the arch-general
mailing list