On Thu, 10 May 2012 03:08:21 +0200 "Jason A. Donenfeld" <[email protected]> wrote: > Exherbo is such a delightfully clean distro, I love having it on my > server, because I can see how all the moving parts work. It's nearly > everything I've always wanted fixed from Gentoo. One thing, however, > that I really do miss from Gentoo is the security provided by package > signing.
Just FYI, package signing as provided by Gentoo doesn't give any security benefits. > - Gentoo's manifest files: This is pretty decent in a lot of ways, but > lots of developers don't like the patch flow with trying to keep these > up to date and the various headaches of that. I get the sense there's > a kind of implicit "we're not doing that way, regardless", based on > everyone's past experiences, so for all intensive purposes, I'm > assuming we nix this possibility. Correct me if my presumption is > silly though. And also they don't provide any security, only error detection. > We add a global variable like DOWNLOADS to exheres called CHECKSUMS: > > CHECKSUMS="foobar-1.2.tar.gz - > sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d barhaz-0.8.tar.bz2 - > sha1:254c83b354a04b5c06bcb18671f2dcb340ce3165 floradora.patch.xz - > md5:5d41402abc4b2a76b9719d911017c592 " The problem with this is that there needs to be a clean, sensible way to generate it. Bear in mind that some packages have hundreds of files to download, and that their names are created programatically. > We define a stage called src_checksum() that runs the checksums on > everything from DOWNLOADS and all other non git-tree sources, such as > those brought about in custom ways from src_fetch or src_nofetch, or > manually downloaded undistributable tarballs, or likewise. I say "non > git-tree sources", because the patches in > sys-apps/foobar/files/fix-for-gcc-1.2.patch are already verified by > item (a) exheres integrity above. > > src_checksum bails if require-checksum-success is set and the checksum > fails. src_checksum bails if require-checksum-existance is set and the > CHECKSUMS variable has not yet been defined. If we were doing it this way, it would be in the package mangler, and not done as a phase function. > That said, I don't think this proposal or any others will be > disruptive at all, and will definitely provide a real world essential > security improvement. I think you're underestimating the impact on workflow. The only way this works is if it's not a huge pain in the ass for developers to use. That's what's stopped us from doing something in the past. -- Ciaran McCreesh
signature.asc
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
