-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Hi Edwin,
On 06/05/2015 13:27, Török Edwin wrote: > Thanks for working on this, I think this is an important piece in > the opam infrastructure. > > - there's been a few downgrade/MiTM attacks related to legacy > cryptography in TLS or Jwt and I'd like to avoid that here. I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it should be user-configurable. > - packages with git or local directory as source I do not plan to support signing for git / local dir (although git versions might carry an annotated tag with signature).. > - Github PR merge security > > Author of PR can push more commits (even rewrite the whole PR > history with force push) which might create a race condition > between reviewing a PR and merging the PR. Can the snapshot bot add > a comment to each PR after it finished the Travis build with the > Git commit hash? The plan is to have some travis checks here (which creates a checkmark icon on success on the commit), and then the snapshot bot which will verify that everything is monotonic. > - opam --trace-sigs > > Perhaps you intended to include this in opam-admin, but would be > useful to be able to display the full signature chain, and all the > files and signatures involved in it in the client too (think: dig > +trace). Agreed. > - how expensive is it to check signatures? > > Will the client check each package's full chain, or just for the > root and the packages that are to be installed/upgraded? Before processing data, a client will first verify this data. A client will not blindly download and verify all the tarballs, but the metadata (opam file) will be verified before used by opam for dependency calculation etc. Hannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCQAGBQJVcZliAAoJELyJZYjffCjulwsQAKlnZwBX5xAPiP9ilQXHKrx2 NTOAI39NuFOu6M64uKU1mMWiqAT60RXtxErC+d1RiggqpytB3fyFaE58dzLsPEs0 KKxT0gwlUzytRlLQe2evLePUt/arMYzY6brpNLuCyFYtfDkNuxLL/w5eA6VIdFbC k0VtIXuLzFR0oMfEUZJmq/LM/iQbovNmDw1gdt1I0QX+YOocgDJ7LBU+HBMzad7N BYhEP/LgFKEFjRygedz/NNlVdn+4cKbRXVplJwqagWRmNaQMGyhbiYtpQx96m5wg qOpTubejXhZfGXvG7XXJ4OAYouVxnyQquIx/C2yM2Xm3j6+SjvKjkH/tLkWgUvKQ y1JHLLf+VXHy2RzG+Xg2yaXatV/BY3mdRJlCe3LaGlYiX1h4eAxVD5Latp3+S+NQ Hm+qn4BqQuiW2QSOAi9utd2coV/23kaIzb5TP+bHKI2aTHlixf4DSfhf3XkNW0LY 2BD3HG57vmyiOOF9Irvt6Pla1pBgp85MoKBEcyR9h4mZIuLJ5ECaEYZOvQM3lB4S JPDWXKRdLgZBpextwNmLVaReZezK31ytJb5lSdXzZN6XKn1WN/oLUqcEgWhKnG+v +AmCZFrCTUxPlMLJaNxNPgOUnPsgbPs/kvufh4R7ceAK3Vp/1INLPpt9xz/B4T7z OwpAEAAkV+i/A67bh7Of =bghw -----END PGP SIGNATURE----- _______________________________________________ Platform mailing list [email protected] http://lists.ocaml.org/listinfo/platform
