On Sat, Mar 10, 2018 at 06:39:50PM -0500, Peter Todd wrote: > On Sat, Mar 10, 2018 at 07:19:11PM +0100, Marek Marczykowski-Górecki wrote: > > Is there any sensible way of installing OTS client securely? There is a > > chain of dependencies which are not packaged for neither Debian or > > Fedora (python-opentimestamps, bitcoinlib, pysha3, ...). And since pip > > rely only on https (so, integrity of its infrastructure), the only > > alternative is downloading sources manually, verifying its signature > > (after finding and verifying what key should really be used for that > > particular package), then installing it in /usr/local or such. > > Yup, I agree that the dependencies are still a problem. That said, some of > them > I could avoid, e.g. pysha3 is only needed if you want to verify an > ethereum-using timestamp, which is a niche case; I could make that optional. > > Even python-bitcoinlib could be made optional I think. There also does exist a > python-bitcoinlib package for Debian buster (testing), although AFAIK not > Fedora.
Having those dependencies optional would indeed ease deployment. But wouldn't that break the common case? AFAIK optional dependencies are not installed by default. Maybe solvable by an entry in README file... > > And even if I'd do all that (I gave up after two iterations), then I > > need to manually track updates for all those packages. Otherwise I risk > > exposing my development environment for yet another attack vector. Well, > > by installing ots client I do that anyway, but by not updating that > > stuff, I make things easier for the attacker, because he/she could use > > publicly known, already patched vulnerabilities. > > Definitely an issue. You also have the problem that timestamping inherently > requires communication with the outside world Yes, that's why I mention this problem. If the package wouldn't interact with the outside world or touch untrusted data, I wouldn't care that much. > - a Qubes-specific RPC "firewall" > could be a good idea here, as you suggest below. I guess for that, otsclient/git_gpg_wrapper.py needs to be split in half. Any plans for that? > > I have better use for my time... > > > > I see two solutions for this problem: > > 1. Package all the dependencies for Fedora (preferred) and/or Debian. > > 2. Make a split-gpg-like integration so those possibly > > outdated/backdoored (pip install...) packages would run in separate VM > > (maybe even DispVM). > > > > I'm not sure about ots client interface, but the second approach may be > > not that hard to implement. > > When you say "Fedora", what exact version do you need it for? I have clients > who need RPM packages for this anyway. Right now - Fedora 26, hopefully very soon - 27. > Also, what's the best infrastructure to provide for this? Like, on Ubuntu I > could provide packages via Launchpad, but I don't know if there's an > equivalent > for Fedora. I think the equivalent for Fedora is copr[1], but I haven't looked into it. [1] https://copr.fedorainfracloud.org/ -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180310235827.GI4063%40mail-itl. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
