[+opam-devel to CC] On 17 Jan 2015, at 15:19, Gabriel Scherer <[email protected]> wrote: > > There is an excellent piece at LWN.net (do consider subscribing to > this source of quality technical news) about a recent discussion in > the Python community on how to "secure" their package manager > http://lwn.net/SubscriberLink/629426/bf933f7acea8466c/ > > The article discusses in particular a library called TUF (The Update > Framework) that aims to help solve the problem in a > package-manager-agnostic way. > http://theupdateframework.com/ > (this page has some other interesting links, eg. to a similar > discussion in the Ruby community about RubyGems) > > Is there a reference point to a discussion of the security aspects of > the OPAM package manager? What I found so far is this 2013 issue by > Edwin Török on signing packages: > https://github.com/ocaml/opam/issues/423 > > As far as I know, the current status is that OPAM checks downloaded > packages against the checksum in opam-repository, so it protects > against an attacker changing upstream releases, assuming the > opam-repository remains trusted and there is no man-in-the-middle > (MITM) attack when the user downloads the metadata -- afaik it uses > only HTTP currently.
This is certainly something that needs to go on the roadmap sooner rather than later, and issue #423 is still the place to record your opinions. Having a signify-like model to let an OPAM mirroring script sign distfiles would be a good first step, since the complexities of managing a per-contributor signing infrastructure would be quite significantly more work. Note that the OPAM remote is HTTPS by default since OPAM 1.1. -anil _______________________________________________ opam-devel mailing list [email protected] http://lists.ocaml.org/listinfo/opam-devel
