On 04/03/2014 03:46 AM, Toshio Kuratomi wrote:
I saw that this got voted on in the meeting even though it didn't get
recorded as such for the meeting minutes. The proposal seemed to be:
use obs-sign to sign packages. That's not actually a proposal that we
can approve here. The proposal here should probably be: "is signing
of packages a blocker for making the playground repo, nice to have, or
optional?"
In terms of how to get the packages signed, that's something that the
infrastructure team has to decide. IIRC past conversations correctly,
adding another signing server (meaning a different code base) to
infrastructure is at the bottom of their list of ways to sign packages
in copr (and by extension in the playground repo).
When I saw the vote in the meeting logs I mentioned it to nirik. In
turn he told me that he hadn't heard anything about this and had only
glanced briefly at obs-sign (mentioning that it wasn't even packaged
for Fedora yet). As I related to tjanez on IRC today, I think lack of
packaging probably slows down infra's ability to deploy it but is only
a foottnote to the real problems. Compromising signing servers and
gaining access to the private keys on them is a very high value target
for an attacker. The more signing servers we have the greater the
attack surface infrastructure has to protect. probably in the ideal
scenario infra would run a single signing server and everything
needing signing would be sent to that. (Jesse Kating had that use in
mind when he designed sigul but I don't know if that design goal
actually became part of the software that we are currently running).
A step down from there might be running multiple instances of the same
signing software to handle the various needs as infra would then have
to protect the keys on these multiple hosts. At the bottom of the
list is running separate signing software as that places the
additional burden of auditing and protecting the software stack of the
multiple signing servers.
For whoever is going to approach infra about signing the packages in
copr it probably makes more sense to either talk about enhancing sigul
to work with copr or getting obs-sign to be able to sign packages from
koji. We'd probably also want to ask bressers or someone else from
the security team to do some sort of evaluation of the code bases that
we're looking at.
That would be probably me. I mean the guy who will be implementing signing of
packages in Copr.
I investigated several possibilities and talked to several people. But you are correct that I did not send conclusion to
mailing list yet. Maybe it is right time to do it now.
One of the guy to who I talked to is Miroslav Trmac, who is current maintainer
and main author of Sigul since 2009.
The conclusion from discussion with him is that:
* we would need need different instance, because to use the same instance for main distribution and for relaxed ring
(Copr, Playground...) is not best idea. Neither from security POV nor for technical implementation. (*)
* we would need to do some development of Sigul before deploying new instance
* and we would likely should migrate to gpg2 (from gpg1)
* Sigul have very restricted network setup, which is probably not needed for
Copr
On the other hand obs-sign:
* is actively maintained
* is more simple
* used in OBS as well (which mean community and so on)
* have security model and network setup good enough for Copr (I arranged meeting of Adrian Shröter from OBS and Mirek
Trmač during DevConf.cz where they discussed technical details and none of them seen any blocker).
Yes, obs-sign is not packaged for Fedora (yet), but the spec exists and I can get it in Fedora withing week. I do not
see that as problem.
If I sum it up, then obs-sign is clear winner to me. Therefore this is the way
I would like to go in Copr.
But it still does not bubble up in my TODO list. So we have plenty of time for
discussion :)
(*) You suggested that having one signing server is better as "The more signing
servers we have the greater the
> attack surface infrastructure has to protect." I disagree.
First: it is not technical possible. Because Koji and current Sigul is in different networks and I'm not sure if we want
to change it. Likely not.
Second: if you compromise Copr signing server then you have compromised main distribution. Therefore even from security
POV is better to have different signing server for main distribution and for Copr.
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
