I like the idea of signature verification. Better safe now than sorry later.
I have a few concerns:
- Scripts on the server which automatically sign committed info and patch files wouldn't stop a hacker, no?
- I edit a LOT of my info files, IMHO there are too many packages with ludicrous dependencies. How will signature verification affect people who do this? There's no way I'm building (or even installing from binary) texinfo just to use bash, ghostscript to install imagemagick, doxygen & tetex to use id3lib...
Carsten
On Thursday, November 28, 2002, at 07:26 am, David wrote:
From: David <[EMAIL PROTECTED]>
Date: Thu Nov 28, 2002 7:26:50 am Canada/Eastern
To: [EMAIL PROTECTED]
Subject: [Fink-devel] GPG Signing the info file and patches..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hullo folks.
While sitting around waiting for a meeting to start I tinkered a bit with gpg and what it might give to us. When looking at the recent problems with Trojans in sources i started to think, that people might start altering "Makefile" based building systems next. They could "hack" our cvs, alter the info file so that it downloads a specially altered version of the source and voilą, many people would be affected by it. Even though it seems a bit out of the main course of action right now, it is only the next logical step for versatile black-hats. I would do it that way and I think I was pretty good at what I was doing *grins*.
How could this be done.
Well we can sign packages and patches fairly easy, that is not the issue. We can create armoured (ascii) detached signatures or binary signatures. Due tot he nature of CVS I would suggest, that we stick to ascii data and thus use detached, armoured signatures.
However there are a certain issues that come with the setup.
a) The user must have gpg installed to benefit from the added security
b) We have to find a way to create a "Fink" gpg kex for signing packages. (I will discuss this separately)
c) The user will have to enter the phrase of his private key into some file and thus the key would exposed UNLESS we find a way to access the keychain from macos X and store the passphrase there
Signing the packages should be fairly easy it can be done with a commit script automatically, we simply install expect and a few scripts on the CVS server and the rest will be handled by the system itself. Thus all package info and patches which wander into CVS arew automagically signed and thus authorised by us.
There is a Crypt::GPG but the MCPAN install failed for me in the dependency for Expect, might be a minor issue, but it did. Maybe one of you can have a look at that ? (BTW why does expect depend on tcltk? ).
As I said, as soon as I someone manages to install that Crypt::GPG I will look further into the issue even though it creates yet another dependency for the user we could "easily sell" it to the that you have to install certain things for the added benefit of security. We also push the use of gpg indirectly and that is good for all of us.
Once more, as usual .. Comments ?
- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE95guOiW/Ta/pxHPQRAxuaAJwOFi40Oe2PrbFs2axDp5ZA/w2nCQCePPtP
19pDgraQSfB0bpmxSbpp6Pc=
=xneu
-----END PGP SIGNATURE-----
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
