* Matthew Toseland <t...@amphibian.dyndns.org> [2008-12-13 19:20:21]:
> On Saturday 13 December 2008 18:57, Florent Daignière wrote: > > * Matthew Toseland <t...@amphibian.dyndns.org> [2008-12-13 18:01:03]: > > > > > On Saturday 13 December 2008 17:22, Florent Daignière wrote: > > > > > > In any case we are NOT protected from the compromise of emu nor by > the > > > > > > compromise of the key used to sign the installer. > > > > > > > > > > Exactly. Right now we build both the installers and the jars on emu. > If > > > emu is > > > > > compromised, it can supply bogus installers and bogus jars. If we > > > > > move > the > > > > > building of the installers off emu (which requires having some idea > how to > > > > > build it from cleanroom, it's a rather involved process iirc), emu > > > > > can > > > still > > > > > supply bogus jars, so we are vulnerable to both machines being > > > compromised. > > > > > However, if we don't update the installer very often, our exposure on > that > > > > > side is minimal. But isn't it still safer to generate both on emu? Or > to > > > > > generate and sign both on some other machine, which would have to be > > > reliable > > > > > and secure? (amphibian.dyndns.org is powerful but not reliable). > > > > > > > > Which part of " > > > > > > > > - in case the installer's key is compromised, only *new* nodes are at > risk > > > > - in case the updater's key is compromised, only *automatically updated* > > > > nodes are at risk > > > > - in case emu is compromised, only *manually updated* nodes are at risk > > > > > > AND new nodes. But okay. > > > > No, installers shouldn't ship emu's bytecode either. > > They should bundle locally-built bytecode then? Yes. It's the signer's responsibility to ensure that the produced bytecode he is signing is "good". > And we'd just use emu for update.sh testing? Yes... and catastrophic manual updates, shall the auto-updater be broken. > Or do we need yet another key, this one automated, to > auto-build the jars off emu and then upload them to emu? No; that wouldn't be a good idea imo. > > > > > > " don't you understand? > > > > > > > > In case you store the keys on emu OR make the installer publish emu's > > > binaries, > > > > you do jeopardize the overall security of the system. > > > > > > > > It's all about mitigating risks by using different "domains". > > > > > > In which case: > > > 1. You would have no objection to me building a windows installer, and us > > > hosting it on emu? > > > > If you mean "using emu to distribute it on the mirror network" that's > > fine by me; If you really mean distributing a xxMB file from emu it's > > not. > > Obviously using the mirror network. Fine then :) > > > > > 2. We should move the process of building and signing the installer off > emu to > > > my computer (and yours if you still want to build them). Each person able > to > > > build an installer should have a separate certificate derived from the > master > > > key, listing both their name and the Freenet Project Inc. > > > > Yes. > > > > > Agreed? Implementing the latter in a cleanroom fashion will require that > > > I > > > have some idea how to build the installer, it's a somewhat convoluted > process > > > to get it set up > > > > Checkout, do "ant"; what's convoluted exactly? > > You need izPack and the launcher binaries in various places iirc ... Yes, you need your copy of izPack. Building the online installer is straightforward... building the offline one is a bit trickier as you've to "tell" the installer where the required packs are. [snip.] > > > > I'm not arguing we should invest $ into getting a signed certificate. I > > am sure we have professional developers here who do have a valid, > > trusted certificate. > > Whom we can trust? Such as? I don't think it's a matter of trust here; well, I don't know; I do have one for instance and I'm sure we could find others if we asked. Would anyone reading this mailing list volunteer to build and sign one of our installers?
signature.asc
Description: Digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl