Hi Ryan.
On Wed, May 30, 2012 at 5:07 PM, Ryan Mullen <rmmullen@gmail.com> wrote:
> In my (humble) opinion, package signing for Crux's ports system should
> be seriously considered. It's a modern feature and is not too complex
> to implement.
A *package* and *ports* system are IMO two different things: the first is
a binary blob prepared for the end user by a responsible packager. The
latter is nothing but a bash script that you may use as-is to compile
the code yourself (and any Pkgfile you should IMO examine before using it).
Therefore, in the first case there's someone standing between you and
the source code, while in the other it's only the code and you. In both
cases the same code is used, but only in the first one someone other than
you is responsible for producing the binary. That's why the thing is
called *package signing*, because in the other case -- if I understand
it correctly -- there's actually nothing to sign.
(A different thing is code signing, but that's the upstream's pain, not
port maintainer's.)
> Second, there is more assurance that a Pkgfile, footprint, or md5sum
> wasn't modified without the port maintainer's knowledge.
Well... .md5sum has very little to do with maintainer's job: basically
it proves that the source tarball you pull to build the package on your
system is the same the port maintainer used to create the Pkgfile. Other
files included in the port should be nothing but text files, and the
checksum should be enough to prove they are valid. Any other signing
here, even if possible, seems a bit superfluous because with a distro
like CRUX you should be able to verify if the script you run contains
malicious code or not.
> The disadvantages include ports tree bloat (less than 1kB per port)
> and a dependency on crypto software (gnupg probably).
The main disadvantage IMO is that the whole idea of *package* signing
doesn't improve the security of the *ports* system because it wasn't
meant to be used there. You can argue if the entire port can be signed
somehow, though this would require high level of correctness as far as
the content of .footprint files is concerned (among other things), and
those not always appear to follow the changes in the package content.
Besides, I decided to use CRUX because it allows for even further
package customization than other distros, and because I wanted to
compile the packages I use so that they fit my machine's specs (avoiding
at the same time 'universal' binaries: a binary is a convenient way
to go, but not always the best one). The simplicity of ports system improves
security by the way it works: making a package myself I know who should be
blamed if something doesn't work the way I wanted.
And if the security
flow comes from the upstream, well, that's where package signing can't
help a lot really...
Anyway, the bottom line: let's verify the scripts we run before we
press Enter. For distros like CRUX it should be the default user action.
Best regards,
bohoomil
_______________________________________________
CRUX mailing list
CRUX@lists.crux.nu
http://lists.crux.nu/mailman/listinfo/crux
Can we talk about package signing?
