[arch-dev-public] Can we trust our mirrors?

Pierre Schmitz pierre at archlinux.de
Sat Nov 29 08:48:59 EST 2008


Hi all,

at first: it is really great that the number of mirrors is increasing and I
am really thankfull to those who provide one.

The point why I feel more and more uncomfortable is that we have no way to
ensure tat one will get the same file from a mirror as from archlinux.org.
A mirror owner might be a "bad" person himself, his servers might have weak
security, the government of their home country cannot be trusted, they
might sync from another "bad" mirror. etc...

Of course since several years demand package signing. I have even seen some
first code, but nothing was ever finished. It should be clear that
something has to be done. Manipulating packages is just too easy.

The simplest solution would be if we sign the db files (automatically) on
gerolde. Of course this is less secure than signing every single package by
its packager; but on the other side it would be easy to implement and there
would be no overhead for packagers. I am aware that this method would only
ensure that packages on a mirror are the same as on gerolde; if our server
gets "hacked" we would have lost. But this should be fine and is far more
better than just nothing and hoping that there are no "bad guys" out there.

Gerhard has written a small patch as a proof of concept. Ignore the details
at this point. The idea is as follows:
1) patch repo-add in order to create a .sig file everytime the db file will
be changed. For this a private key readable by every dev or just sudo can
be used
2) use this version of repo-add on gerolde. So we'll have the sinatures
propagated to our mirrors.
3) For testing the whole thing one could just write a small download script
which checks the signatures of db files. (Abusing the XferCommand statement
in pacman.conf)
4) If all went well we could think about a build-in check in pacman itself.
(we might be able to reuse some code here that was written for package
signing)
5) Enable those checks by default for all official repos
6) The public key should not be in a package but people have to get it from
our website.

What do you think about this? Step 1 to 3 could be implemented in a rather
short time.

Pierre


-- 
Pierre Schmitz


Clemens-August-Straße 76
53115 Bonn

Telefon		0228 9716608
Mobil		0160 95269831
Jabber		pierre at jabber.archlinux.de
WWW		http://www.archlinux.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pacman-sig.tar.gz
Type: application/gzip
Size: 1589 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20081129/32e86c74/attachment.bin>


More information about the arch-dev-public mailing list