On Thu, Jan 14, 2010 at 09:56:41PM +0000, Chris Gerhard wrote: > On 14/01/2010 21:17, [email protected] wrote: > >On Thu, Jan 14, 2010 at 08:40:20PM +0000, Chris Gerhard wrote: > >>On 14/01/2010 19:54, [email protected] wrote: > >>>On Thu, Jan 14, 2010 at 11:52:41AM +0000, Chris Gerhard wrote: > >>>>My concern as someone who works in support is that this will > >>>>generate fire drills and customer calls. The manual for pkg verify > >>>>should sing out that it does not do always use the sha1 to do a full > >>>>verification. > >>> > >>>Sorry, but documenting internal algorithms isn't appropriate. We want > >>>to reserve the right to change our hash algorithms and message digests > >>>without breaking existing software. Pkg verify is what you should use > >>>to verify the integrity of files installed by the packaging system. If > >>>you choose not to use that tool, you're on your own. > >> > >>And that is the problem. If you use anything else it will lead the > >>user down to the path of believing there is a problem when there is > >>not one. That will result in customer dissatisfaction and calls. > >>Unless we clearly document this behaviour or fix it. > > > >Customers don't get to build tools on private interfaces and expect > >support. As I said before, I'm open to building an interface in our > >public API that security software can use to verify our files. However, > >if a system has been compromised, even manifest signing can be exploited > >since we assume the intruder will have the ability to replace manifests > >and the keys we use to verify them. > > I'm not sure I understand your point. If a customer uses bart(1) to > build check sums of a system and then uses that on another > "identical" system they will think the systems are different. No > need to involve the pkg system at all. Customer do this and will > then call us if they have systems that are running the same release > but the files are different.
What I'm suggesting, since we own bart(1), is that we have the ability to teach bart(1) to use a pkg(5) API when looking at files. We've talked about conditional publication and can eventually implement it; however, that's probably not happening in the short term. You've already filed an RFE to have verify look at the entire hash of the file, but I don't think that helps you in this case. I don't have a problem with documenting that pkg verify should be used to verify the integrity of files installed by the packaging system, instead of some other tool. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
