Hi Ryan. On Wed, May 30, 2012 at 5:07 PM, Ryan Mullen <rmmullen@gmail.com> wrote:
In my (humble) opinion, package signing for Crux's ports system should be seriously considered. It's a modern feature and is not too complex to implement.
A *package* and *ports* system are IMO two different things: the first is a binary blob prepared for the end user by a responsible packager. The latter is nothing but a bash script that you may use as-is to compile the code yourself (and any Pkgfile you should IMO examine before using it). Therefore, in the first case there's someone standing between you and the source code, while in the other it's only the code and you. In both cases the same code is used, but only in the first one someone other than you is responsible for producing the binary. That's why the thing is called *package signing*, because in the other case -- if I understand it correctly -- there's actually nothing to sign. ;) (A different thing is code signing, but that's the upstream's pain, not port maintainer's.)
Second, there is more assurance that a Pkgfile, footprint, or md5sum wasn't modified without the port maintainer's knowledge.
Well... .md5sum has very little to do with maintainer's job: basically it proves that the source tarball you pull to build the package on your system is the same the port maintainer used to create the Pkgfile. Other files included in the port should be nothing but text files, and the checksum should be enough to prove they are valid. Any other signing here, even if possible, seems a bit superfluous because with a distro like CRUX you should be able to verify if the script you run contains malicious code or not.
The disadvantages include ports tree bloat (less than 1kB per port) and a dependency on crypto software (gnupg probably).
The main disadvantage IMO is that the whole idea of *package* signing doesn't improve the security of the *ports* system because it wasn't meant to be used there. You can argue if the entire port can be signed somehow, though this would require high level of correctness as far as the content of .footprint files is concerned (among other things), and those not always appear to follow the changes in the package content. Besides, I decided to use CRUX because it allows for even further package customization than other distros, and because I wanted to compile the packages I use so that they fit my machine's specs (avoiding at the same time 'universal' binaries: a binary is a convenient way to go, but not always the best one). The simplicity of ports system improves security by the way it works: making a package myself I know who should be blamed if something doesn't work the way I wanted. :) And if the security flow comes from the upstream, well, that's where package signing can't help a lot really... Anyway, the bottom line: let's verify the scripts we run before we press Enter. For distros like CRUX it should be the default user action. ;) Best regards, bohoomil