Patrick Burroughs (Celti)
2016-10-31 15:43:19 UTC
On Mon, 31 Oct 2016 16:16:21 +0100
_completely_ different areas.
You are speaking about authenticating the build scripts itself. That
does not solve _anything_ at all what this thread/topic/todo-list is
about.
It really is not. I am not speaking of authenticating the build
scripts; both this thread and my proposal are talking about ensuring
the integrity of downloaded source files.
Specifically, I am speaking of cryptographically signing the checksums
for source files downloaded by the build scripts, so that they download
what the author of the build script _intended_ them to download.
This is presumably the same reason for ensuring sources are downloaded
via HTTPS instead of HTTP, where possible â adding a cryptographic
authentication to ensure someone building a package does not get
sources without being aware they are modified: only embedding
signatures in the PKGBUILD is trusting the Arch devs via the pacman
keyring or parallel method, instead of the (flawed) CA system. If there
is another reason to switch to HTTPS, please â make me aware of it!
Also the very first reply in the thread talked about adding upstream
signatures instead of changing the protocol, where possible â only not
every upstream offers or _wants_ to offer them, so I proposed, in
response to a prompt for discussion on the subject in the mail I
quoted, a way to make that feasible.
as I'm not authorised to post on arch-dev-public and didn't expect to
draw this out into a conversation, I simply replied to the thread on
arch-general. Bowing to peers, however... et voila: a new thread.
~Celti
As a middle ground, I think it would be more reasonable (or at
least, less unreasonable) to modify makepkg to allow signing
PKGBUILDs, or at least parts of them. For an existing example,
OpenBSD's signify(1) uses their cryptographic signature system to
sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that
contains a PGP signature (signed by the developer/TU's official key)
of the contents (properly serialised by makepkg so there's a minimum
of possible ambiguity) of the sha256sums array?
That is literally a _completely_ different topic that addressesleast, less unreasonable) to modify makepkg to allow signing
PKGBUILDs, or at least parts of them. For an existing example,
OpenBSD's signify(1) uses their cryptographic signature system to
sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that
contains a PGP signature (signed by the developer/TU's official key)
of the contents (properly serialised by makepkg so there's a minimum
of possible ambiguity) of the sha256sums array?
_completely_ different areas.
You are speaking about authenticating the build scripts itself. That
does not solve _anything_ at all what this thread/topic/todo-list is
about.
scripts; both this thread and my proposal are talking about ensuring
the integrity of downloaded source files.
Specifically, I am speaking of cryptographically signing the checksums
for source files downloaded by the build scripts, so that they download
what the author of the build script _intended_ them to download.
This is presumably the same reason for ensuring sources are downloaded
via HTTPS instead of HTTP, where possible â adding a cryptographic
authentication to ensure someone building a package does not get
sources without being aware they are modified: only embedding
signatures in the PKGBUILD is trusting the Arch devs via the pacman
keyring or parallel method, instead of the (flawed) CA system. If there
is another reason to switch to HTTPS, please â make me aware of it!
Also the very first reply in the thread talked about adding upstream
signatures instead of changing the protocol, where possible â only not
every upstream offers or _wants_ to offer them, so I proposed, in
response to a prompt for discussion on the subject in the mail I
quoted, a way to make that feasible.
Don't get me wrong: I don't judge about it at all, I'm just saying
that both are fully independent from each other and you should please
open a new thread if you want to discuss this rather then hijack this
thread :)
I really, really don't think they're independent from each other, andthat both are fully independent from each other and you should please
open a new thread if you want to discuss this rather then hijack this
thread :)
as I'm not authorised to post on arch-dev-public and didn't expect to
draw this out into a conversation, I simply replied to the thread on
arch-general. Bowing to peers, however... et voila: a new thread.
~Celti