On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
Hi guys. One more of those long boring emails... sorry.
See this situation: let's say we sign packages and the repo.db and the
signatures are all dettached, in the same directory as their
corresponding files. If some cracker breaks into the machine and
deletes the signatures, pacman will not be able to know if the
packages and repo.db were signed or not. So, it would be necessary to
have some way to indicate that a repository is signed or not and this
information must be kept in such a way that an intruder can't change.
The signatures are currently placed in the repo-db. So only the repo
db needs downloaded and not individual signatures. If an attacker
deletes the repo database and its signature, that is probably the least
of our issues... There will be many copies of a recent signed
database that we can recover all the signatures from.
Another factor to consider is that the signature verification should
be optional for each system. I mean, if a user doesn't care about
signatures, he should be able to say "pacman, I can't care less about
signatures, please". So, I believe that the best place for such
information should be in the pacman.conf file, in each repository
section. Maybe one cares about signature in one repository but not for
another. And we would spread the attack surface for the entire user
base, instead of concentrating it only on the server or mirrors.
I thought that this was already implemented.
For the repository update, it would be like this:
1. for each repository
1.1. download the repo.db
1.2. if it is signed
(and signature checking is enabled for that repo)
1.2.1. download the signature
1.2.2. check the signature
1.3. extract the db to its right place, as today
>
For the package verification, it would be like this:
1. downloads the package
2. if the signature is enabled for the repository
2.1. if the package is signed (this information must come from repo.db)
2.1.1. download the signature for the package
No need for that step. The signature is in repo.db
2.1.2. checks the signature
For installation of local packages, I am not very worried about
signatures. It could be optional, indicated via parameter.
Agreed.
Well, I think that to store the new information, we'll have to break
the ABI, isn't it? Sorry to say this just a few days after the new
release... Maybe we could have put some new fields to future use.
Breaking API happens every major release. It is nothing to be very
concerned about.
Allan
