[pacman-dev] [ Package Signing ] Your signature please

Allan McRae allan at archlinux.org
Fri Feb 18 20:21:47 EST 2011 

On 19/02/11 09:40, IgnorantGuru wrote:
<snip>
> In short, please make the signatures and keys available ASAP.  That's great you're working on your security design and automatic checking, taking your time and being careful, but at least give us some sigs for now so we can help ourselves.

Everything up until this point is not related to pacman development at 
all and should be taken up with whoever provides the repos you use. 
Pacman is not Arch Linux specific...

Note that the current implementation does not preclude having the 
signatures alongside packages in the repos.  It just uses the version 
provided in the repo database.  Also, if you use "pacman -U <url>" 
pacman will try downloading any signature alongside the package, so it 
is more than likely the signatures will end up there.

<snip>

> Also, devs love to make code efficient, but in this area consider not making that your top priority.  There are many PGP/GPG libraries which are ill-maintained compared to the long-lived GPG, and they can introduce security problems.  They also further remove the user from control of security, which makes for bad security.  I suggest having pacman run gpg for its security needs, in a transparent way to the user.  No reliance on other libraries.  This will have a minor cost in efficiency, but it is a good KISS model and in the long run will improve security.  (Many of the PGP APIs were little more than attempts to weaken PGP.)  This also makes your job easier.  Why reinvent the wheel?  The command line does just fine, and gpg gets much more scrutiny in cryptographic circles than the many libraries that allege to duplicate it.  Use the real article.

We are using gpgme which is maintained by gpg developers.  So we are not 
reinventing any wheel.  If that is an ill-maintained and contains 
security issues, then why trust gpg at all?

> When modifying pacman, don't make it overcomplicated.  I think users should have some way to specify a custom keyring to be used, and a way to disable or ignore signature checking.  Beyond that, keep it minimal and simple.  The more complex you make it, the less secure it will be in real world applications.

Have you actually looked at the current implementation at all?  I'm not 
sure how much simpler it could get.  The package is downloaded and its 
signature - either in the repo or detached - is checked using gpg via 
gpgme.  There is a way to disable signature check and select which 
keyring is being used.   And that is about it...

> Obviously Arch devs are new to some of these security models, which I believe is one reason you have shown so much reluctance to tackle it.You don't want to mess it up and be embarrassed.

Umm... no...   the *pacman* devs just feel the have better things to do 
with their lives, including things of higher interest to develop in 
pacman.   Also, (almost) no-one who considers this super-critical to 
implement has done anything about it.  And those that have obviously 
have not (yet?) seen it through to the finish.


In the end, the only way anything will get implemented is if patches are 
provided.  (That includes the suggestion of providing signatures in 
repos on Arch Linux - look at that devtools/db-scripts projects).  Dan 
and I have also mentioned our consulting rates in the past, which may or 
may not increase motivation to finish this...

Finally, *succinct* reports on where the current implementation in 
pacman can be improved are also appreciated.  But that requires actually 
paying attention to what has already been done.

Allan

More information about the pacman-dev mailing list