On Sat, Nov 29, 2008 at 7:48 AM, Pierre Schmitz <[EMAIL PROTECTED]> wrote: > Hi all, > > at first: it is really great that the number of mirrors is increasing and I > am really thankfull to those who provide one. > > The point why I feel more and more uncomfortable is that we have no way to > ensure tat one will get the same file from a mirror as from archlinux.org. > A mirror owner might be a "bad" person himself, his servers might have weak > security, the government of their home country cannot be trusted, they > might sync from another "bad" mirror. etc... > > Of course since several years demand package signing. I have even seen some > first code, but nothing was ever finished. It should be clear that > something has to be done. Manipulating packages is just too easy. > > The simplest solution would be if we sign the db files (automatically) on > gerolde. Of course this is less secure than signing every single package by > its packager; but on the other side it would be easy to implement and there > would be no overhead for packagers. I am aware that this method would only > ensure that packages on a mirror are the same as on gerolde; if our server > gets "hacked" we would have lost. But this should be fine and is far more > better than just nothing and hoping that there are no "bad guys" out there. > > Gerhard has written a small patch as a proof of concept. Ignore the details > at this point. The idea is as follows: > 1) patch repo-add in order to create a .sig file everytime the db file will > be changed. For this a private key readable by every dev or just sudo can > be used > 2) use this version of repo-add on gerolde. So we'll have the sinatures > propagated to our mirrors. > 3) For testing the whole thing one could just write a small download script > which checks the signatures of db files. (Abusing the XferCommand statement > in pacman.conf) > 4) If all went well we could think about a build-in check in pacman itself. > (we might be able to reuse some code here that was written for package > signing) > 5) Enable those checks by default for all official repos > 6) The public key should not be in a package but people have to get it from > our website. > > What do you think about this? Step 1 to 3 could be implemented in a rather > short time. > > Pierre
There's too much talk on this idea. Before we go ahead and do this, could someone submit this patch to the pacman-dev list, so the pacman developers can give it a once-over. Just make sure to let them know that this is a temporary solution. Additionally - where will gpg get the key from on gerolde? Shouldn't this be configurable, or even set via an optarg to the -s param?
