[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] chicken-install package integrity/signing
|
From: |
Jason Valencia |
|
Subject: |
Re: [Chicken-users] chicken-install package integrity/signing |
|
Date: |
Sun, 23 Dec 2018 00:11:51 +0000 |
Thomas Chust wrote:
> Hello,
>
> implementing package signatures is technically not such a big deal
> (see the experimental example script here:
> https://paste.call-cc.org/paste?id=b5f6d4cce329d48d64eefbe0922b64aebb16a9e5
> :-)
>
> But we need to decide who should be responsible for signatures and
> which keys should be trusted by the package manager. The simplest
> solution would probably be to have one trusted signing key and
> signatures applied automatically by the package server. However,
> this is not the most secure solution.
>
> The best guarantees for authenticity of the egg code would be given
> by signatures from the original package authors, however
> implementing that may require a significant infrastructural overhead
> to maintain up-to-date lists of current keys and which eggs they are
> allowed to sign.
Until this is resolved, is anyone aware of good ways to install eggs
more securely? A couple options come to mind but they seem overkill.
- Running a local egg mirror with henrietta as it looks like it can
fetch over HTTPS
- Downloading packages with chicken-install -retrieve (to just
download instead of installing) and manually inspecting each one
- Re: [Chicken-users] chicken-install package integrity/signing,
Jason Valencia <=