On 06/05/2015 02:43 PM, Hannes Mehnert wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Hi Edwin,
On 06/05/2015 13:27, Török Edwin wrote:
Thanks for working on this, I think this is an important piece in
the opam infrastructure.
- there's been a few downgrade/MiTM attacks related to legacy
cryptography in TLS or Jwt and I'd like to avoid that here.
I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it
should be user-configurable.
- packages with git or local directory as source
I do not plan to support signing for git / local dir (although git
versions might carry an annotated tag with signature)..
- Github PR merge security
Author of PR can push more commits (even rewrite the whole PR
history with force push) which might create a race condition
between reviewing a PR and merging the PR. Can the snapshot bot add
a comment to each PR after it finished the Travis build with the
Git commit hash?
The plan is to have some travis checks here (which creates a checkmark
icon on success on the commit), and then the snapshot bot which will
verify that everything is monotonic.
- opam --trace-sigs
Perhaps you intended to include this in opam-admin, but would be
useful to be able to display the full signature chain, and all the
files and signatures involved in it in the client too (think: dig
+trace).
Agreed.
- how expensive is it to check signatures?
This can easily be parallelized (w/ parmap for example).
Will the client check each package's full chain, or just for the
root and the packages that are to be installed/upgraded?
Before processing data, a client will first verify this data. A client
will not blindly download and verify all the tarballs, but the
metadata (opam file) will be verified before used by opam for
dependency calculation etc.
Hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCQAGBQJVcZliAAoJELyJZYjffCjulwsQAKlnZwBX5xAPiP9ilQXHKrx2
NTOAI39NuFOu6M64uKU1mMWiqAT60RXtxErC+d1RiggqpytB3fyFaE58dzLsPEs0
KKxT0gwlUzytRlLQe2evLePUt/arMYzY6brpNLuCyFYtfDkNuxLL/w5eA6VIdFbC
k0VtIXuLzFR0oMfEUZJmq/LM/iQbovNmDw1gdt1I0QX+YOocgDJ7LBU+HBMzad7N
BYhEP/LgFKEFjRygedz/NNlVdn+4cKbRXVplJwqagWRmNaQMGyhbiYtpQx96m5wg
qOpTubejXhZfGXvG7XXJ4OAYouVxnyQquIx/C2yM2Xm3j6+SjvKjkH/tLkWgUvKQ
y1JHLLf+VXHy2RzG+Xg2yaXatV/BY3mdRJlCe3LaGlYiX1h4eAxVD5Latp3+S+NQ
Hm+qn4BqQuiW2QSOAi9utd2coV/23kaIzb5TP+bHKI2aTHlixf4DSfhf3XkNW0LY
2BD3HG57vmyiOOF9Irvt6Pla1pBgp85MoKBEcyR9h4mZIuLJ5ECaEYZOvQM3lB4S
JPDWXKRdLgZBpextwNmLVaReZezK31ytJb5lSdXzZN6XKn1WN/oLUqcEgWhKnG+v
+AmCZFrCTUxPlMLJaNxNPgOUnPsgbPs/kvufh4R7ceAK3Vp/1INLPpt9xz/B4T7z
OwpAEAAkV+i/A67bh7Of
=bghw
-----END PGP SIGNATURE-----
_______________________________________________
Platform mailing list
[email protected]
http://lists.ocaml.org/listinfo/platform
--
Regards,
Francois.
_______________________________________________
Platform mailing list
[email protected]
http://lists.ocaml.org/listinfo/platform
