FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-26-2008, 02:39 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Andrew Bartlett <abartlet <at> samba.org> writes:

> I think the checksums would be the hardest part. Build times, hosts
> and other details are very often embedded into a build.

Yeah, good point. We do have checksums of individual files inside the RPM,
right? Maybe we can leverage that in order to provide a build system neutral
checksum that can be verified independently?

--
Bojan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 02:49 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Bojan Smojver <bojan <at> rexursive.com> writes:

> Yeah, good point. We do have checksums of individual files inside the RPM,
> right? Maybe we can leverage that in order to provide a build system neutral
> checksum that can be verified independently?

Or maybe we could even rely on checksums of cpio archives produced by rpm2cpio?

--
Bojan




--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 03:09 AM
Chris Adams
 
Default Time to resurrect multi-key signatures in RPM?

Once upon a time, Bojan Smojver <bojan@rexursive.com> said:
> Andrew Bartlett <abartlet <at> samba.org> writes:
> > I think the checksums would be the hardest part. Build times, hosts
> > and other details are very often embedded into a build.
>
> Yeah, good point. We do have checksums of individual files inside the RPM,
> right? Maybe we can leverage that in order to provide a build system neutral
> checksum that can be verified independently?

That still doesn't help; some things embed the compile time and info in
the files. See for example 'uname -v' (although that one is pretty
easily controlled IIRC) and 'perl -V'.

One possible way to handle builds that do this would be to do something
like use the timestamp of the spec file or last CVS update time for
example and force such builds to use that instead of the current time.

That doesn't help the 'perl -V' example though, since it includes the
'uname -r' and 'uname -v' output in the resulting binary; for example,
you can see that the current perl RPM on F9/x86_64 was built on a RHEL5
(or derivative; somebody could tell from the version string) system and
what kernel it was running at the time.

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 03:11 AM
Tom Lane
 
Default Time to resurrect multi-key signatures in RPM?

Bojan Smojver <bojan@rexursive.com> writes:
> For instance, an attacker being in the position of injecting a bad
> package and signing it with Fedora key would still get nowhere, as he'd
> need to convince other signatories to sign those packages before them
> being any threat to Fedora users. Before signing, signatories could
> require that original contributor that built the package for a
> particular tag sends a signed e-mail (containing that tag and package
> checksums - valid only once) to the signatories, therefore requiring yet
> another compromised private key in order to perform an attack.

Yup, packagers are going to do that, sure...

Most of us are overworked already. We aren't going to jump through any
hoops for third-party signatories.

regards, tom lane

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 03:27 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Tom Lane <tgl <at> redhat.com> writes:

> Yup, packagers are going to do that, sure...

That was the intention, yes. Packagers would notify all signatories (with a
signed e-mail) that they've built a new package destined for updates and that
signatories should review and sign it. We're still working out the details of
making sure packages are are genuine in another thread :-)

I guess from Red Hat's point of view, the only difference would be that Fedora
packages would not be valid unless signed and uploaded back to updates by
(required number of) other signatories.

--
Bojan



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 03:29 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Chris Adams <cmadams <at> hiwaay.net> writes:

> That still doesn't help; some things embed the compile time and info in
> the files. See for example 'uname -v' (although that one is pretty
> easily controlled IIRC) and 'perl -V'.
>
> One possible way to handle builds that do this would be to do something
> like use the timestamp of the spec file or last CVS update time for
> example and force such builds to use that instead of the current time.
>
> That doesn't help the 'perl -V' example though, since it includes the
> 'uname -r' and 'uname -v' output in the resulting binary; for example,
> you can see that the current perl RPM on F9/x86_64 was built on a RHEL5
> (or derivative; somebody could tell from the version string) system and
> what kernel it was running at the time.

Right. No very good.

Are these things exceptions to the rule or do majority of package have this kind
of thing built in? If 95% of packages don't have it, the rest can always be
checked by hand by running binary diff or something...

--
Bojan


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 03:57 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Bojan Smojver <bojan <at> rexursive.com> writes:

> Are these things exceptions to the rule or do majority of package have this
> kind of thing built in?

Actually, it should be quite easy to verify this. If someone from Red Hat could
run 'ls *.rpm | sort | while read pkg; do echo -en "$pkg "; rpm2cpio < $pkg |
sha1sum; done' for all Fedora packages built in koji of a distro/arch (say
F9/i386) and if Matt could do the same on his Dell build farm, we'll clearly see
what gives different checksums of cpio archives.

--
Bojan



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 04:35 AM
Seth Vidal
 
Default Time to resurrect multi-key signatures in RPM?

On Tue, 2008-08-26 at 03:57 +0000, Bojan Smojver wrote:
> Bojan Smojver <bojan <at> rexursive.com> writes:
>
> > Are these things exceptions to the rule or do majority of package have this
> > kind of thing built in?
>
> Actually, it should be quite easy to verify this. If someone from Red Hat could
> run 'ls *.rpm | sort | while read pkg; do echo -en "$pkg "; rpm2cpio < $pkg |
> sha1sum; done' for all Fedora packages built in koji of a distro/arch (say
> F9/i386) and if Matt could do the same on his Dell build farm, we'll clearly see
> what gives different checksums of cpio archives.

why do you want that?

rpm -qp --dump pkg.rpm

-sv


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 05:22 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

Seth Vidal <skvidal <at> fedoraproject.org> writes:

> why do you want that?
>
> rpm -qp --dump pkg.rpm

Because I didn't read rpm manual page? ;-)

Yeah, that's really useful - thanks for that hint. Makes it really simple for
people to compare content of packages.

You reckon this multi-key signing thing could be done in any practical fashion
in Fedora?

--
Bojan


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 07:13 AM
Bruno Wolff III
 
Default Time to resurrect multi-key signatures in RPM?

On Tue, Aug 26, 2008 at 03:27:43 +0000,
Bojan Smojver <bojan@rexursive.com> wrote:
>
> I guess from Red Hat's point of view, the only difference would be that Fedora
> packages would not be valid unless signed and uploaded back to updates by
> (required number of) other signatories.

I don't think you are really going to gain much from doing that. And there
is certainly going to be a lot of pain associated with that. It creates
extra work, adds delays, and adds a dependence on third parties. And it
doesn't completely prevent people from getting bad code signed.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org