Hello,
for the sake of completeness:
Fredrik and I starten looking into how we can secure the Ports distribution.
Regards,
Thomas
-------- Ursprüngliche Nachricht --------
Von: Fredrik Rinnestam <fredrik@rinnestam.se>
Datum: 23.03.2016 10:31 (GMT+01:00)
An: crux@lists.crux.nu
Betreff: Re: repos providing only md5 sums
On Wed, Mar 23, 2016 at 10:29:44AM +0100, Erich Eckner wrote:
> On 23.03.2016 09:58, Fredrik Rinnestam wrote:
> > On Wed, Mar 23, 2016 at 07:38:37AM +0100, Erich Eckner wrote:
> >> On 21.03.2016 21:36, Dutch Ingraham wrote:
> >>> On Mon, Mar 21, 2016 at 08:31:00AM +0100, Thomas Penteker wrote:
> >>>> To fill the missing link to providing integrity and confidentiality, we
> >>>> should start cryptographically signing ports on the maintainer's side and
> >>>> check these signatures before building/downloading anything.
> >>
> >> I think, we should definitely allow for signing and verification.
> >> However: what's a useful approach for checking Pkgfiles?
> >> It's not pkgmk's job, because we want to be able to edit the file. So I
> >> think, "ports -u" should check the signature of Pkgfile and pkgmk the
> >> ones of the sources?
> >
> > The current idea is to have git commits signed. This would sign the
> > sha256 checksum and a "trusted" chain is established.
>
> This sounds like a much cleaner solution than signing every individual file.
>
> > we will obviously lose this when syncing ports with rsync since only
> > files are synced. This needs to be solved.
>
> Maybe, the hash and signature can be added to the synced files (of
> course not versioned in git). I don't know the details of the hashing in
> git, but in the end it's a hash of hashes of the files (and file
> permissions, locations, ...) and some extra information like commit
> message and parents?
> So given the extra info, one would be able to calculate the hash "by
> hand" and verify the signature?
>
> I know, it sounds hackish - probably not a good idea :-/
>
> >> On the other hand: I just noticed, that '--no-check-certificate' is
> >> passed as an argument to wget. Why isn't assumed, that a proper
> >> certificate is installed? Can this be configured somewhere?
> >
> > Iirc thats not a default setting. It can be changed in /etc/pkgmk.conf:
> > PKGMK_WGET_OPTS=""
>
> I didn't have any PKGMK_WGET_OPTS defined in /etc/pkgmk.conf (nor in the
> Pkgfile), also setting PKGMK_WGET_OPTS="" explicitely didn't change
> anything :-/
>
> cheers, Erich
Yeah I just noticed its hard-coded in pkgmk. You could switch to curl
instead - dont think it's hardcoded there.
I'll open up a bugreport for the wget issue
--
Fredrik Rinnestam
_______________________________________________
CRUX mailing list
CRUX@lists.crux.nu
https://lists.crux.nu/mailman/listinfo/crux