On Thu, 10 May 2012 14:36:14 +0200 "Jason A. Donenfeld" <[email protected]> wrote: > >> - Gentoo's manifest files: > > And also they don't provide any security, only error detection. > > They provide limited security.
There's no such thing as "limited security".
> Assuming Gentoo devs manually check their tarballs' integrity before
> running ebuild manifest, it means that if you wanted to trojan a
> Gentoo package, you'd have to own both a distfile mirror and an rsync
> mirror (or cvs master).
No, you'd only have to get an rsync mirror.
> >> We add a global variable like DOWNLOADS to exheres called
> >> CHECKSUMS:
> >
> > The problem with this is that there needs to be a clean, sensible
> > way to generate it. Bear in mind that some packages have hundreds
> > of files to download, and that their names are created
> > programatically.
>
> Can you name an example of a package that does this? I'd be curious to
> see what the skinny is. But before looking at that, one immediate
> solution that occurs to me is that the CHECKSUMS file name could
> actually be a directory name that's created in distfiles for such
> files, and there would be a single checksum of the {sorted}
> concatenation of all files. Or something similar.
cave print-id-metadata --raw-name DOWNLOADS -b vim::/?
> > I think you're underestimating the impact on workflow. The only way
> > this works is if it's not a huge pain in the ass for developers to
> > use. That's what's stopped us from doing something in the past.
>
> Well the general workflow of verifying a tarballs fingerprint using
> upstream's provided method (maybe the project maintainer releases his
> public key, etc) should be second nature to any developer who doesn't
> _deserve_ to be trojan'd. So the additional step and impact on
> workflow, I suppose, is adding the hash to the exheres, which I
> imagine would look something like:
>
> Single file:
> $ sha1sum openssh-6.0p1.tar.gz
> f691e53ef83417031a2854b8b1b661c9c08e4422
>
> Directory idea above:
> $ cat foobar-files/* | sha1sum
> e7e2a2d0b22bfd51da771f1b1a5095bfadbaa829
>
> And then pasting in the exheres. Doesn't sound so bad to me. What
> hassles do you suppose I'm overlooking?
How does that fit in with the standard workflow?
http://ciaranm.wordpress.com/2010/11/28/exherbo-development-workflow-version-2/
Bear in mind that people might be working on dozens of packages all in
one go.
--
Ciaran McCreesh
signature.asc
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
