There is a problem with the current OpenPGP spec: only an 8-octet key id is included in a signature, not the whole fingerprint [1,2]. I’d like to get some feedback on how to address this issue.
This branch [3] contains the code that adds available OpenPGP keys and corresponding usernames to the index tarball. This information is used during ‘cabal update’ [4] to establish a set of trusted keys, which is then cached. When a user runs ‘cabal install’, they only get a source tarball and possibly a signature. How would you find the right key in the cache? I see two options: 1. Match on 8-octet key ids. 2. Get an uploader name somehow and match on it instead. The first option is more simple, which is a good thing. But it would require to forbid clashing key ids. I think that’d be too restrictive (fingerprints could be different) and would require querying the cache for every key in the index tarball, which’d probably need a database. The second one means sending an additional web request for each package version during ‘install’, which would also add input validation burden and potential security issues. Since I dislike both options, I’ve talked to Mikhail on IRC who suggested adding an ‘x-hackage-uploader’ field to .cabal files (similar to the already used ‘x-hackage-revision’). That’d be done in the index tarball without changing the original files. I like this idea because it’s simple and would allow to avoid fingerprint collisions [5]. What would you do? [1] https://tools.ietf.org/html/rfc4880#section-5.2.3.5 [2] https://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html [3] https://gitorious.org/hackage-server/hackage-server/commits/openpgp [4] https://gitorious.org/cabal/cabal/commits/openpgp [5] https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html
pgpupSjVMDiWS.pgp
Description: PGP signature
_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
