On Wed, May 19, 2010 at 04:33:52PM +0100, Darren J Moffat wrote: > On 19/05/2010 16:23, Nicolas Williams wrote: > >Integrity protection here could best be handled by ZFS, and by using a > >snapshot to access the on-disk repo. Granted, that would mean that > >IPS on systems that don't support ZFS would lack integrity protection, > >just like most applications. I think that'd be acceptable for the > >forseeable future. > > That assume the on-disk repo is actually on a local never mind ZFS. > It could be getting accessed over NFS of http. https is certainly > an option as is using Kerberos for NFS to provide a transport layer > protection.
Yes. > >Also, what is to be defended against? Here, IMO: data corruption due to > >bad hw -- ZFS is plenty good enough at that; there's no need to > >replicate ZFS' integrity protection. > > Maybe nothing if we assume the package contents themselves are > signed - and if they aren't I don't see any benefit in doing > anything additional in the on-disk repo format. It may well be that > there is nothing worth defending against that isn't already > addressed by the signed package contents. Attacking the indexes represents mostly a DoS, unless the manifest signatures do not cover the pkgs' names, in which case there'd be a redirection attack as well. Perhaps there'd also be a publisher substitution attack as well, but I think that can be defended against on the client side. Protecting against this sort of DoS attack seems not worth the effort, and protecting against the redirection attack can be done by ensuring that the manifest signatures cover the pkg names. However, you're right that now's the time to get this right, particularly for the over-NFS scenario. Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
