[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checking signatures on source tarballs
From: |
Christopher Allan Webber |
Subject: |
Re: Checking signatures on source tarballs |
Date: |
Tue, 06 Oct 2015 22:18:15 -0500 |
Mark H Weaver writes:
> Alex Kost <address@hidden> writes:
>
>> Ludovic Courtès (2015-10-05 18:55 +0300) wrote:
>>
>>> Alex Kost <address@hidden> skribis:
>>>
>>>> Ludovic Courtès (2015-10-04 19:57 +0300) wrote:
>>>>
>>>>> However, if this is “too convenient”, I’m afraid this would give an
>>>>> incentive to not check OpenPGP signatures when they are available.
>>>>
>>>> Sorry, I have no idea what it means :-(
>>>
>>> When upstream digitally signs its source code tarballs, packagers should
>>> check those signatures to authenticate the code they have.
>>>
>>> If the tool makes it too easy to fill out the ‘sha256’ field without
>>> going through the trouble of downloading the ‘.sig’ file and checking
>>> it, then people will have an incentive not to check those signatures.
>>
>> Oh, now I see what you mean. Well, I don't know, I think if a user has
>> a habbit to check a signature, he will check it anyway; and if not, then
>> not.
>
> I share Ludovic's concern. It is a serious problem if packagers fail to
> check signatures. We should not provide mechanisms that encourage such
> behavior. It jeopardizes the security of every user of those packages.
>
> IMO, we should rather be going in the other direction, to formalize and
> automate the checking of signatures. IMO, our 'origin' objects should
> include a set of fingerprints of acceptable GPG signing keys for that
> package, as well as information on how to find the signature (in cases
> where it cannot be guessed).
>
> This would have several beneficial effects:
>
> * If the packager downloaded a key belonging to a man-in-the-middle
> (quite possible given that we rarely have a validated chain of trust
> to the developer), then that bad key will be stored in our git repo
> for all to see, allowing someone to notice that it's the wrong key.
>
> * When the package is later updated, it will not be possible for a new
> man-in-the-middle attack to be made on us. If a new signing key is
> used, we cannot fail to notice it. It will raise a red flag and we
> can investigate.
>
> * It would strongly encourage packagers to do these checks, and make it
> obvious to reviewers or users when the packager failed to do so. It
> would also make it easy to find unsigned packages, so that we can
> encourage upstream to start signing the packages, at least for the
> most important ones.
>
> Also, our linter should download and check the signature, so that it's
> easy for others to independently check the verification done by the
> original packager.
>
> What do you think?
>
> Mark
This sounds great to me!
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'., (continued)
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'., Ludovic Courtès, 2015/10/09
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'., Alex Kost, 2015/10/09
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'., Ludovic Courtès, 2015/10/10
- [PATCH] emacs: Add 'guix-devel-build-package-source'., Alex Kost, 2015/10/09
- Re: [PATCH] emacs: Add 'guix-devel-build-package-source'., Ludovic Courtès, 2015/10/11
- Checking signatures on source tarballs, Mark H Weaver, 2015/10/08
- Re: Checking signatures on source tarballs,
Christopher Allan Webber <=
- Re: Checking signatures on source tarballs, Ludovic Courtès, 2015/10/08
- Re: Checking signatures on source tarballs, Mark H Weaver, 2015/10/08
- Re: Checking signatures on source tarballs, Leo Famulari, 2015/10/08
- Re: Checking signatures on source tarballs, Ludovic Courtès, 2015/10/08
- Re: Checking signatures on source tarballs, Ludovic Courtès, 2015/10/09
- Re: Checking signatures on source tarballs, Brandon Invergo, 2015/10/15
- Re: [bug-gsrc] Checking signatures on source tarballs, Brandon Invergo, 2015/10/12
- Re: [bug-gsrc] Checking signatures on source tarballs, Ludovic Courtès, 2015/10/12
- Re: [bug-gsrc] Checking signatures on source tarballs, Brandon Invergo, 2015/10/15
- Re: [bug-gsrc] Checking signatures on source tarballs, Ludovic Courtès, 2015/10/12