[pacman-dev] Dan's pacman tree build&test

Gerhard Brauer gerbra at archlinux.de
Fri Dec 5 04:42:56 EST 2008 

On Thu, 4 Dec 2008 21:12:07 -0600
wrote "Dan McGee" <dpmcgee at gmail.com>:

> On Thu, Dec 4, 2008 at 12:44 PM, Gerhard Brauer <gerbra at archlinux.de>
> wrote:
> > Summary:
> > I think most of the signing part (makepkg, repo-add) and the
> > verifying part (pacman) works so far. Awesome!
> > gpg verifying is good integrated in pacman, the "warning: gpg
> > cmdline" line thing i assume is a test/debug thing.
> >
> > Next step could be: verifying the database files during pacman -Sy ?
> >
> There is nothing to verify about the database yet. Eventually we can
> sign these as well if necessary, but right now the only sigs are on
> the packages themselves.

I think signing the database files on gerolde is equal important than
signing the packages. Cause pacman will have not a default setting
like: check **all** packages if they were signed (local or foreign
repos). So the %PGPSIG% field in the database is the only indicator for
pacman: is this a signed package or not. So we must secure the database
files against manipulations like removing, modifying this field.

> This is an area that will need work as it is
> possible to make completely valid databases with valid packages, but
> an attacker could purposely hold back package releases to keep
> vulnerabilities open.

That's also a good point. Some propositions on this were to get the
database files only from ftp.archlinux.org. But these are also only
mirrors and this thought is also not doable cause the different sync
levels of our mirrors.
One short idea: Pierre and myself do still mirror checking on their
sync states. That checks could maybe enhanced to check if the databases
are on a quiet actual level or integrity... Hmmmm
 
> Thanks for your help and feedback.

No thanks needed. For myself i WANT this feature.

Some thoughts about more generally things which may need a little time
to discuss (i don't want answers, this are only things i ask myself):

a) On official repos (core,extra,...) pacman should not be allowed to
install unsigned packages from. But pacman should still honor own local
or foreign repos which may be unsigned.

b) To solve this (and the point: where is the keyring?) maybe we could
check a new entry in pacman.conf for the repos:
[core]
Keyring = /etc/pacman.d/archlinux.gpg
Include = /etc/pacman.d/mirrorlist
So pacman could decide: Have i to check this repo for signed packages
and where the needed public keyring could be found. So also local or
foreign repos could use the signing feature.

c) Should we add an option to makepkg to let the developer/packager
choose which secret key from his keyring should be used for signing?
Maybe he won't use his default key and have a extra archlinux key
generated.

d) Currently we work on the libalpm integration. But what when users
must or will use wget/curl via XferCommand? Sure, we could provide
skeleton example scripts how to integrate gpg in this. But we give this
work more i users hand. Or may our state: pacman and its secure
framework is *only* given if you use the libalpm way?

e) What's with our other devel tools (for ex. makechrootpkg)? Is
signing also integrated in this tools?

This weekend i will put the "signing pacman" on my machine to test it
with my complete own repo, not only on a single package.

> -Dan

Regards
	Gerhard

More information about the pacman-dev mailing list