FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 02-19-2011, 06:15 PM
Jelle van der Waa
 
Default Your signature please

On Sat, 2011-02-19 at 20:05 +0100, Alf Gaida wrote:
> >Yeah! Archers deserve to die!
> >
> >But really I'm not convinced by this hyper-paranoia trash.
> >There will always be ways to compromise your machine. Someone who would
> >go through the trouble of setting up a proxy mirror and injecting
> >malicious code into seemingly normal packages is probably going to find
> >other ways. Package signing will not protect you.
> >
> >You will never be safe.
> >The truth is out there.
> This is opensource - if you would create real trouble, just help with kernel-
> modules. The only difference is, in other distributions these errors came
> through your system signed.
>
> Why hacking, when simple development is so easy?
>

I don't understand what you are saying, but in short.

You can't force Allan / any pacman-dev to create package signing for
pacman. If you really want to get this feature into pacman/archlinux
(dbscripts etc. needs to be redone too):

-read the code
-add patches
-wait for devs to sign them off

on a side note:
http://media.ccc.de/browse/congress/2010/27c3-4295-en-high_speed_high_security_cryptography.html

--
Jelle van der Waa
 
Old 02-19-2011, 06:38 PM
Alf Gaida
 
Default Your signature please

Maybe i have should use a <ironic> tag. Nothing is secure in the end, if
anyone will do harm, he'll find a security hole. Like this:
http://www.webhostingtalk.com/showthread.php?t=717240

I agree fully with Allan. For me it makes not a big difference if a package is
signed or not. It's a nice to have feature and i would be glad if someone
would implement it. But for me it has a very low priority..

The performance issues addressed by Allan are much more importent for me, but
unfortunally in the moment i'm not so in the code that i could really help.
 
Old 02-19-2011, 09:42 PM
Daniel Mendler
 
Default Your signature please

On 02/19/2011 08:38 PM, Alf Gaida wrote:
> Maybe i have should use a <ironic> tag. Nothing is secure in the end, if
> anyone will do harm, he'll find a security hole. Like this:
> http://www.webhostingtalk.com/showthread.php?t=717240

Exactly, because we cannot reach perfect security, we should not care
about it at all!

> I agree fully with Allan. For me it makes not a big difference if a package is
> signed or not. It's a nice to have feature and i would be glad if someone
> would implement it. But for me it has a very low priority..

It makes a big difference if your system is compromised. And then you
will care about it. I don't understand this naive and short-sighted opinion.

@Allan: I am a bit disappointed with your opinion that you want to
implement only features that you care about. I think there is also a
reponsibility if you are one of the main developers of the package
manager of a popular distribution. And you don't even have to implement
the features yourself - there are people who are willing to help. But
those people should also get some support by you.

Daniel
 
Old 02-19-2011, 10:05 PM
Allan McRae
 
Default Your signature please

On 20/02/11 08:42, Daniel Mendler wrote:

@Allan: I am a bit disappointed with your opinion that you want to
implement only features that you care about. I think there is also a
reponsibility if you are one of the main developers of the package
manager of a popular distribution. And you don't even have to implement
the features yourself - there are people who are willing to help. But
those people should also get some support by you.


Those people get full support from me. You might have seen between
these emails that I reviewed the three patches for package signing
posted to this list yesterday within 12 hours of them being posted.


I am serious when I say "patches welcome". I just turns out those
people that claim to be willing to help, rare do anything.


Allan
 
Old 02-19-2011, 10:22 PM
Alf Gaida
 
Default Your signature please

Am 19. Feb. 11, 23:42:18 schrieb Daniel Mendler:
> It makes a big difference if your system is compromised. And then you
> will care about it. I don't understand this naive and short-sighted opinion.
>
> Daniel
I'm _not_ naive and short-sighted. i just don't care. If i were concernd about
this there will be only two ways to go: Don't use arch and anythig pacman-
related or implement it by myself. So my descision is: I use arch and don't
implement it. If i had the time, the knowledge and the interest to do so i
would. I'm not interested in.
 
Old 02-19-2011, 10:25 PM
Dan McGee
 
Default Your signature please

I'm not sure I even want to get involved in this thread. :/

On Sat, Feb 19, 2011 at 5:05 PM, Allan McRae <allan@archlinux.org> wrote:
> On 20/02/11 08:42, Daniel Mendler wrote:
>>
>> @Allan: I am a bit disappointed with your opinion that you want to
>> implement only features that you care about. I think there is also a
>> reponsibility if you are one of the main developers of the package
>> manager of a popular distribution.
This is totally false. None of us signed up because we wanted to code
stuff other people wanted; we saw an open source project we could
contribute to and all the sudden we ended up being the lead
developers. If our fellow developers were telling us "hey we really
need package signing", we'd probably set aside our having fun to work
on it a bit more, but if you notice, none of them are doing that.

Responsibility? I take responsibility for myself and no one else,
anything else would be stupid and make me legally liable for work I
don't even get paid for.

>> And you don't even have to implement
>> the features yourself - there are people who are willing to help. But
>> those people should also get some support by you.
>
> Those people get full support from me. *You might have seen between these
> emails that I reviewed the three patches for package signing posted to this
> list yesterday within 12 hours of them being posted.
>
> I am serious when I say "patches welcome". *I just turns out those people
> that claim to be willing to help, rare do anything.
The other thing we frequently see is work that doesn't come close to
meeting our standards, and when we point this out, we get accused of
not wanting to implement package signing. At that point, what are we
expected to do? Redo the work ourself?

Either way, can we all just relax a bit? This thread is becoming a
bitching ground, and nothing productive has come out of it. Act civil
and stop using the guise of the internet to say anything you want and
attack others. It really isn't appropriate.

-Dan
 
Old 02-19-2011, 11:36 PM
Daniel Mendler
 
Default Your signature please

> Responsibility? I take responsibility for myself and no one else,
> anything else would be stupid and make me legally liable for work I
> don't even get paid for.

I don't mean that you take legal reponsibility. I only mean that you
have some influence one how this project continues.

>>> And you don't even have to implement
>>> the features yourself - there are people who are willing to help. But
>>> those people should also get some support by you.
>>
>> Those people get full support from me. You might have seen between these
>> emails that I reviewed the three patches for package signing posted to this
>> list yesterday within 12 hours of them being posted.
>>
>> I am serious when I say "patches welcome". I just turns out those people
>> that claim to be willing to help, rare do anything.
> The other thing we frequently see is work that doesn't come close to
> meeting our standards, and when we point this out, we get accused of
> not wanting to implement package signing. At that point, what are we
> expected to do? Redo the work ourself?

I understand that the code quality should meet the quality standards.
And I understand that you don't want to redo the work yourself if this
is not the case. This is totally acceptable.

> Either way, can we all just relax a bit? This thread is becoming a
> bitching ground, and nothing productive has come out of it. Act civil
> and stop using the guise of the internet to say anything you want and
> attack others. It really isn't appropriate.

I think this should also go to a much more technical level. We have the
gpg tree in Allan's repository. As I said I tested it with a repository
and got it to work. So can you tell me what do you need till this can be
merged into master?

1. Design a strategy to manage the keyrings and adapt the tools to it
2. Patches for the issues on the Package Signining Wiki Page
3. Patches to db-scripts to manage the database with gpg signatures

Some of the issues on the wiki page are really minor (e.g. rename
option). There are more complex ones (replacing verified db with
unverified one, reworking the signature checking code when using pacman
-U). And there are already patches for some of the issues.

So what do you say about the code quality of the branch? It it
acceptable at this point or is there improvement needed? Are there other
blockers preventing you from merging it as soon as the points above are
solved?

Daniel
 
Old 02-20-2011, 01:28 AM
Allan McRae
 
Default Your signature please

On 20/02/11 10:36, Daniel Mendler wrote:

I think this should also go to a much more technical level. We have the
gpg tree in Allan's repository. As I said I tested it with a repository
and got it to work. So can you tell me what do you need till this can be
merged into master?

1. Design a strategy to manage the keyrings and adapt the tools to it
2. Patches for the issues on the Package Signining Wiki Page
3. Patches to db-scripts to manage the database with gpg signatures

Some of the issues on the wiki page are really minor (e.g. rename
option). There are more complex ones (replacing verified db with
unverified one, reworking the signature checking code when using pacman
-U). And there are already patches for some of the issues.

So what do you say about the code quality of the branch? It it
acceptable at this point or is there improvement needed? Are there other
blockers preventing you from merging it as soon as the points above are
solved?


As far as I am concerned, the major points on the TODO list that need
patches are the first five for pacman:


TODO: fix (and refactor) reading signatures for packages installed with -U
TODO: have a way to force a signature check with -U (i.e. abort if no
signature is found)

TODO: only replace old database when signature is valid
TODO: output when downloading signature file - name when downloaded
TODO: output when downloading signature file - "error" when not available


The other issues are all fairly minor (and the pacman-key/makepkg ones
mostly have patches that just need revised already).


So if patches are submitted for those five points, and any criticism
followed up, I will commit to then spending the time doing the needed
tidying/rebasing of the code on my gpg branch to have it suitable for
merging.


Allan
 
Old 02-20-2011, 10:47 AM
Daniel Mendler
 
Default Your signature please

Hi Allan

> As far as I am concerned, the major points on the TODO list that need
> patches are the first five for pacman:
>
> TODO: fix (and refactor) reading signatures for packages installed with -U
> TODO: have a way to force a signature check with -U (i.e. abort if no
> signature is found)
> TODO: only replace old database when signature is valid
> TODO: output when downloading signature file - name when downloaded
> TODO: output when downloading signature file - "error" when not available

I have a patch for the third point. Can you please clarify the last two
points? Do you think the output is too verbose (two download progress
bars with the same name etc, and two error messages in case of error)?

> The other issues are all fairly minor (and the pacman-key/makepkg ones
> mostly have patches that just need revised already).

I took a look on the other patches. I agree that these need only
reviewing and merging.

> So if patches are submitted for those five points, and any criticism
> followed up, I will commit to then spending the time doing the needed
> tidying/rebasing of the code on my gpg branch to have it suitable for
> merging.

Sounds good.

Daniel
 
Old 02-20-2011, 11:02 AM
Allan McRae
 
Default Your signature please

On 20/02/11 21:47, Daniel Mendler wrote:

Hi Allan


As far as I am concerned, the major points on the TODO list that need
patches are the first five for pacman:

TODO: fix (and refactor) reading signatures for packages installed with -U
TODO: have a way to force a signature check with -U (i.e. abort if no
signature is found)
TODO: only replace old database when signature is valid
TODO: output when downloading signature file - name when downloaded
TODO: output when downloading signature file - "error" when not available


I have a patch for the third point. Can you please clarify the last two
points? Do you think the output is too verbose (two download progress
bars with the same name etc, and two error messages in case of error)?



Some examples of what those last two points cover:

1)
VerifySig = Always, valid signature:
:: Synchronizing package databases...
pacman 1.0K 381.6K/s 00:00:00
[######################] 100%
pacman 0.3K 14.4M/s 00:00:00
[######################] 100%
kernel64 1.5K 42.2M/s 00:00:00
[######################] 100%


Two download bars with the same name - the second should be something
like pacman.sig


2)
VerifySig = Always, no signature available:
:: Synchronizing package databases...
pacman 1.0K 317.1K/s 00:00:00
[######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file
or directory

error: Failed to download signature for db: No such file or directory
error: failed to update pacman (invalid PGP signature)
kernel64 1.5K 55.1M/s 00:00:00
[######################] 100%


The error messages need reduced to a possibly single, clear message

3)
VerifySig = Optional, no signature available:
:: Synchronizing package databases...
pacman 1.0K 363.2K/s 00:00:00
[######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file
or directory
kernel64 1.5K 30.5M/s 00:00:00
[######################] 100%


That is not an actual error as signature checking is optional
 

Thread Tools




All times are GMT. The time now is 11:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org