On 19/02/11 12:00, IgnorantGuru wrote:
On Sat, 19 Feb 2011 11:21:47 +1000
Allan McRae<[email protected]> wrote:
We are using gpgme which is maintained by gpg developers. So we are
not reinventing any wheel. If that is an ill-maintained and contains
security issues, then why trust gpg at all?
I'm not up on the latest in gpg, what is being developed, or how well it has
been cryptographically tested, and it sounds like you're not either to some
extent. I was offering general suggestions - try to see the bigger picture and
the details won't be so much work. I still think using command line gpg gives
users better control over their own security solutions and provides better
security. But you're obviously too deeply invested in the libraries now to
even consider anything else (which is one reason why I advise against them).
So be it.
We are not too deeply invested in anything. No release has been made...
I was just pointed out that you appear to have no idea what the
library we are using is and what it actually does. It makes absolutely
no sense to have pacman manually fork a process to run gpg to verify a
package/database and then manually parse the output when the upstream
gpg developers provide a library to do just that.
Have you actually looked at the current implementation at all?
I read some discussions of it, but I have not looked at it. Frankly it
interests me far less than having signatures available at this point. I trust
that you can implement checking. I think you're putting the cart before the
horse, which is why package signing is getting nowhere (no real usable
results). But if you have kept it as simple as you describe, good work.
In the end, the only way anything will get implemented is if patches
are provided. (That includes the suggestion of providing signatures
in repos on Arch Linux - look at that devtools/db-scripts projects).
Dan and I have also mentioned our consulting rates in the past, which
may or may not increase motivation to finish this...
Surely you have some mechanism in makepkg or elsewhere for generating the
signatures used in your test repo for your pacman sig checking features. Why
not push this through to the packaging or database tools now while you're still
working on pacman? Or have you completely ignored the need to generate
signatures (I know you haven't from what I've read, so that's rhetorical).
It seems you or others are stalling on providing signatures because you want
exclusive control of checking those signatures. It's trivial to implement
providing them and surely you know that - man gpg for help. Like everything
done by committee, I think you're making things more complicated than they need
to be. It's okay, I didn't have high hopes for this communication. This issue
is obviously too mired in politics and ego for anything to budge (not you
personally).
Design by committee implies there is an actually committee making
decisions around here, which is far from the truth...
The reason the makepkg changes have not been pushed yet is because they
are not finished. As someone who has run the gpg branch version of
makepkg for a while, I found it really annoying to not be able to
disable/enable signing from the command line. I see Denis just sent a
patch for that so it may be possible to push the makepkg changes in the
future. But that is very unlikely to happen before the next release
which is scheduled to occur quite soon.
Offtopic: Not that this actually matters as far as Arch Linux is
concerned. The support needs added to devtools/db-scripts. The package
upload script could have a temporary line in it to do the package
signing while waiting on makepkg to do that automatically.
Finally, *succinct* reports on where the current implementation in
pacman can be improved are also appreciated. But that requires
actually paying attention to what has already been done.
Agreed. FWIW, I think your pacman changes will see reality (as in popular use)
much more quickly if signatures show up on mirrors sooner rather than later.
Once the sigs are there, the appetite for your pacman work will be there, and
the dev politics of Arch will sway.
Simply put, there can be no logical or technical reason for not providing
signatures for packages. At the minimum, they can only vastly improve the
situation, which currently is a complete abdication of any form of responsible
package security, and they are trivial to add. The only reason for not
providing them is a human one - IOW irrational. I'm no diplomat - I just make
things work. I'll leave you to your politics.
I'll repeat, talk to the providers of the repos about getting signatures
provided. This list is for pacman-development only and thus any
distribution specific conversation is off-topic.. But to be the guy who
"makes things work", patches will be required.
Allan
