[arch-dev-public] Can we trust our mirrors?

Mon Dec 1 12:06:02 EST 2008

On Sat, Nov 29, 2008 at 7:48 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
> Hi all,
>
> at first: it is really great that the number of mirrors is increasing and I
> am really thankfull to those who provide one.
>
> The point why I feel more and more uncomfortable is that we have no way to
> ensure tat one will get the same file from a mirror as from archlinux.org.
> A mirror owner might be a "bad" person himself, his servers might have weak
> security, the government of their home country cannot be trusted, they
> might sync from another "bad" mirror. etc...
>
> Of course since several years demand package signing. I have even seen some
> first code, but nothing was ever finished. It should be clear that
> something has to be done. Manipulating packages is just too easy.
>
> The simplest solution would be if we sign the db files (automatically) on
> gerolde. Of course this is less secure than signing every single package by
> its packager; but on the other side it would be easy to implement and there
> would be no overhead for packagers. I am aware that this method would only
> ensure that packages on a mirror are the same as on gerolde; if our server
> gets "hacked" we would have lost. But this should be fine and is far more
> better than just nothing and hoping that there are no "bad guys" out there.
>
> Gerhard has written a small patch as a proof of concept. Ignore the details
> at this point. The idea is as follows:
> 1) patch repo-add in order to create a .sig file everytime the db file will
> be changed. For this a private key readable by every dev or just sudo can
> be used
> 2) use this version of repo-add on gerolde. So we'll have the sinatures
> propagated to our mirrors.
> 3) For testing the whole thing one could just write a small download script
> which checks the signatures of db files. (Abusing the XferCommand statement
> in pacman.conf)
> 4) If all went well we could think about a build-in check in pacman itself.
> (we might be able to reuse some code here that was written for package
> signing)
> 5) Enable those checks by default for all official repos
> 6) The public key should not be in a package but people have to get it from
> our website.
>
> What do you think about this? Step 1 to 3 could be implemented in a rather
> short time.
>
> Pierre

There's too much talk on this idea. Before we go ahead and do this,
could someone submit this patch to the pacman-dev list, so the pacman
developers can give it a once-over. Just make sure to let them know
that this is a temporary solution.

Additionally - where will gpg get the key from on gerolde? Shouldn't
this be configurable, or even set via an optarg to the -s param?