Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery]

Didier 'OdyX' Raboud  writes:

>> diff --git a/policy.xml b/policy.xml
>> index 6086901..c14d9b4 100644
>> --- a/policy.xml
>> +++ b/policy.xml
>> @@ -2556,11 +2556,28 @@ endif
>> 
>>
>>  This is an optional, recommended configuration file for the
>> -uscan utility which defines how to
>> +uscan utility which defines how to
>>  automatically scan ftp or http sites for newly available updates
>>  of the package.  This is used Debian QA tools to help with quality

> While were at patching this, this sentence should read:
>> This is used _by_ Debian QA tools …
> or
>> This is used _by some_ Debian QA tools…

> Other than that, seconded!

Thanks!  I made that fix and also the OpenPGP fix, and am now merging this
for the next release.

-- 
Russ Allbery (r...@debian.org)   

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Didier 'OdyX' Raboud]

Le lundi, 7 août 2017, 09.40:22 h EDT Russ Allbery a écrit :
> Daniel Kahn Gillmor  writes:
> > debian-policy should encourage verification of upstream cryptographic
> > signatures.

Yes.

> diff --git a/policy.xml b/policy.xml
> index 6086901..c14d9b4 100644
> --- a/policy.xml
> +++ b/policy.xml
> @@ -2556,11 +2556,28 @@ endif
> 
>
>  This is an optional, recommended configuration file for the
> -uscan utility which defines how to
> +uscan utility which defines how to
>  automatically scan ftp or http sites for newly available updates
>  of the package.  This is used Debian QA tools to help with quality

While were at patching this, this sentence should read:
> This is used _by_ Debian QA tools …
or
> This is used _by some_ Debian QA tools…

Other than that, seconded!

Cheers,
OdyX

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Jonathan Nieder]

Hi,

Russ Allbery wrote:

> How does this look to everyone?

Seconded, with or without the tweaks dkg suggested in
https://bugs.debian.org/732445#68

Thanks,
Jonathan

> --- a/policy.xml
> +++ b/policy.xml
> @@ -2556,11 +2556,28 @@ endif
>  
>
>  This is an optional, recommended configuration file for the
> -uscan utility which defines how to
> +uscan utility which defines how to
>  automatically scan ftp or http sites for newly available updates
>  of the package.  This is used Debian QA tools to help with quality
>  control and maintenance of the distribution as a whole.
>
> +  
> +If the upstream maintainer of the software provides PGP signatures
> +for new releases, including the information required for
> +uscan to verify signatures for new upstream
> +releases is also recommended.  To do this, use the
> +pgpsigurlmangle option in
> +debian/watch to specify the location of the
> +upstream signature, and include the key or keys used to sign
> +upstream releases in the Debian source package as
> +debian/upstream/signing-key.asc.
> +  
> +  
> +For more information about uscan and these
> +options, including how to generate the file containing upstream
> +signing keys, see
> +
> uscan1.
> +  
>  
>  
>  
> 

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Daniel Kahn Gillmor]

On Mon 2017-08-07 09:40:22 -0700, Russ Allbery wrote:
> In an ideal world, we would have a documented set of metadata for finding
> upstream releases, of which uscan is just one implementation, and document
> that in Policy.

In an ideal world, uscan would be able to verify signed git tags and
include the diff between the orig.tar.gz and a shallow clone of the git
repo as a patch to allow verification without history ;)

> This patch doesn't attempt to do that; it tries to find a compromise
> between the current Policy language ("include a watch file for uscan")
> and specifying the location of the upstream signing keys, while
> deferring all of the details to the uscan documentation.

i think this is a sensible approach.  thanks for working on it, Russ.

> +If the upstream maintainer of the software provides PGP signatures

This should probably be s/PGP/OpenPGP/

all the rest looks good to me.  I'm also happy to second it, if needed.

--dkg


signature.asc
Description: PGP signature

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery]

Holger Levsen  writes:
> On Mon, Aug 07, 2017 at 09:40:22AM -0700, Russ Allbery wrote:

>> In an ideal world, we would have a documented set of metadata for
>> finding upstream releases, of which uscan is just one implementation,
>> and document that in Policy.  This patch doesn't attempt to do that; it
>> tries to find a compromise between the current Policy language
>> ("include a watch file for uscan") and specifying the location of the
>> upstream signing keys, while deferring all of the details to the uscan
>> documentation.

>> I decided to keep this all in the uscan section rather than adding a
>> new section for the upstream signing key location, since right now this
>> is all closely linked to uscan functionality (and to avoid renumbering
>> sections or having a section weirdly separated from the uscan
>> description).

>> How does this look to everyone?

> looks good to me and the reasoning as well. happy to second if you think
> it's ready.

Yup, I think it's ready, as long as dkg is happy with this!

-- 
Russ Allbery (r...@debian.org)   

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Holger Levsen]

On Mon, Aug 07, 2017 at 09:40:22AM -0700, Russ Allbery wrote:
> In an ideal world, we would have a documented set of metadata for finding
> upstream releases, of which uscan is just one implementation, and document
> that in Policy.  This patch doesn't attempt to do that; it tries to find a
> compromise between the current Policy language ("include a watch file for
> uscan") and specifying the location of the upstream signing keys, while
> deferring all of the details to the uscan documentation.
> 
> I decided to keep this all in the uscan section rather than adding a new
> section for the upstream signing key location, since right now this is all
> closely linked to uscan functionality (and to avoid renumbering sections
> or having a section weirdly separated from the uscan description).
> 
> How does this look to everyone?
 
looks good to me and the reasoning as well. happy to second if you think it's
ready.

thanks!


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery]

Control: tag -1 patch

Daniel Kahn Gillmor  writes:

> debian-policy should encourage verification of upstream cryptographic
> signatures.

> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>  
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.

Hi everyone,

Here's a proposed new patch for this.

In an ideal world, we would have a documented set of metadata for finding
upstream releases, of which uscan is just one implementation, and document
that in Policy.  This patch doesn't attempt to do that; it tries to find a
compromise between the current Policy language ("include a watch file for
uscan") and specifying the location of the upstream signing keys, while
deferring all of the details to the uscan documentation.

I decided to keep this all in the uscan section rather than adding a new
section for the upstream signing key location, since right now this is all
closely linked to uscan functionality (and to avoid renumbering sections
or having a section weirdly separated from the uscan description).

How does this look to everyone?

diff --git a/policy.xml b/policy.xml
index 6086901..c14d9b4 100644
--- a/policy.xml
+++ b/policy.xml
@@ -2556,11 +2556,28 @@ endif
 
   
 This is an optional, recommended configuration file for the
-uscan utility which defines how to
+uscan utility which defines how to
 automatically scan ftp or http sites for newly available updates
 of the package.  This is used Debian QA tools to help with quality
 control and maintenance of the distribution as a whole.
   
+  
+If the upstream maintainer of the software provides PGP signatures
+for new releases, including the information required for
+uscan to verify signatures for new upstream
+releases is also recommended.  To do this, use the
+pgpsigurlmangle option in
+debian/watch to specify the location of the
+upstream signature, and include the key or keys used to sign
+upstream releases in the Debian source package as
+debian/upstream/signing-key.asc.
+  
+  
+For more information about uscan and these
+options, including how to generate the file containing upstream
+signing keys, see
+
uscan1.
+  
 
 
 

-- 
Russ Allbery (r...@debian.org)   

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Lucas Nussbaum]

tags 742552 - patch
thanks

Hi,

On 24/03/14 at 19:08 -0400, Daniel Kahn Gillmor wrote:
> > Maybe at this stage, the recommendation would be better placed in
> > developers-reference.
> 
> thanks, that's a good idea.
> 
> i've cloned the bug to suggest its inclusion in developers-reference,
> where the specific and concrete language is probably more appropriate.

Indeed, that's a good idea.
Could someone update the patch to integrate it into developers-reference?

I'm removing the patch tag in the meantime, as the patch currently is
against debian-policy.

Thanks,

Lucas


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Guillem Jover]

Hi!

On Mon, 2014-03-24 at 16:51:53 -0700, Russ Allbery wrote:
> I use:
> 
> gpg --export --armor --export-options export-minimal  \
> > debian/upstream/signing-key.asc
> 
> to generate this file for my packages.

I've been using pgp-clean (signing-party), which seems to generate
even smaller files.

Thanks,
Guillem


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery]

Daniel Kahn Gillmor  writes:

> I'd be happy to see us settle on one single location, and if folks think
> that the .asc version is the better option, updating lintian to nag
> about the other ones until they go away seems doable before we freeze
> for jessie.  I'll even file patches or do NMUs for packages that need
> them if a lintian tag appears.

That would be my preference, if for no other reason than options are
expensive to maintain and picking one good way to do something is usually
better.  However, I don't have strong feelings on the matter.

> Thinking further, I wonder if we should also encourage packagers to
> store the detached signature itself in the packaging directly (e.g.
> maybe in debian/upstream/signature.asc), so that the upstream tarball
> can be re-verified against the signing key even if the upstream archive
> goes offline; maybe that's a separate issue.

I think the level of benefit from this is low, since the source package is
already signed by the Debian uploader and includes a signature on the
tarball, but if the tools updated that file automatically (I'm thinking of
gbp import-orig and the like), I certainly wouldn't object to including
it.  I probably wouldn't bother to download it and copy it into place
myself, though.

> That said, if a debian packager wants to include extra OpenPGP
> certifications of moderate length, i don't think we should forbid them
> from doing so (i can imagine a packager wanting to include their own
> certification if they have made one, for example).

Yes, agreed.

>> I use:
>> 
>> gpg --export --armor --export-options export-minimal  \
>> > debian/upstream/signing-key.asc

> i think that's good advice, though i don't know whether it belongs in
> debian-policy or developers-reference.

developers-reference, probably.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Daniel Kahn Gillmor]

On 03/24/2014 07:51 PM, Russ Allbery wrote:
> I'm curious -- why do we have two different supported paths?  At least in
> my experience the ASCII-armored key is much easier to deal with, since you
> don't have to configure dpkg to allow binary files in the debian
> directory.  I'm not sure that I see any drawback to just saying to always
> use the *.asc form.

we actually have three supported paths at the moment:

 debian/upstream-signing-key.pgp
 debian/upstream/signing-key.pgp
 debian/upstream/signing-key.asc

the first was my first implementation of this mechanism.  the binary
form is easiest to use directly with gpgv, which was the only additional
dependency.

Later, James McCoy moved the file to debian/upstream/ (which i didn't
know existed when i made the original implementation) and added code to
support the *.asc version.  the *.asc version can only be checked if
gnupg is available, apparently (though it should be easy enough to just
use perl's MIME::Base64 to convert if we wanted to drop the gnupg
dependency and just leave it depending on gpgv)

I'd be happy to see us settle on one single location, and if folks think
that the .asc version is the better option, updating lintian to nag
about the other ones until they go away seems doable before we freeze
for jessie.  I'll even file patches or do NMUs for packages that need
them if a lintian tag appears.

Thinking further, I wonder if we should also encourage packagers to
store the detached signature itself in the packaging directly (e.g.
maybe in debian/upstream/signature.asc), so that the upstream tarball
can be re-verified against the signing key even if the upstream archive
goes offline; maybe that's a separate issue.

> Another comment based on my personal experience with this is that, if the
> packager is generating this key by exporting a key from a keyring (for
> example, for the packages for which I'm also upstream, I'm exporting my
> own key), they should do so with --export-options export-minimal.  It
> makes the file *much* smaller, and I don't think there's any need to
> include all of the key signatures.  The mere presence of this key in the
> (signed) Debian source package already indicates the trust relationship
> that's relevant for this purpose, and the end user can always retrieve
> additional key signatures from a public keyserver if they really want
> them.

Yes, i do the same thing, and I agree with your security analysis of the
reasons for having (or not having) any OpenPGP certifications on the
upstream signing key(s) beyond the self-sigs.

That said, if a debian packager wants to include extra OpenPGP
certifications of moderate length, i don't think we should forbid them
from doing so (i can imagine a packager wanting to include their own
certification if they have made one, for example).

> I use:
> 
> gpg --export --armor --export-options export-minimal  \
> > debian/upstream/signing-key.asc

i think that's good advice, though i don't know whether it belongs in
debian-policy or developers-reference.

--dkg



signature.asc
Description: OpenPGP digital signature

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery]

Daniel Kahn Gillmor  writes:

> You're quite right about my original bug report having been premature
> and over-specific for debian-policy; sorry about that.  The current
> preferred location is now debian/upstream/signing-key.pgp (binary form)
> or debian/upstream/signing-key.asc (ascii-armored).  And i agree with
> you that the specifics of how it's done might not need to be in policy.

The file location probably should be, though, since that's the public
interface for this functionality.

I'm curious -- why do we have two different supported paths?  At least in
my experience the ASCII-armored key is much easier to deal with, since you
don't have to configure dpkg to allow binary files in the debian
directory.  I'm not sure that I see any drawback to just saying to always
use the *.asc form.

Another comment based on my personal experience with this is that, if the
packager is generating this key by exporting a key from a keyring (for
example, for the packages for which I'm also upstream, I'm exporting my
own key), they should do so with --export-options export-minimal.  It
makes the file *much* smaller, and I don't think there's any need to
include all of the key signatures.  The mere presence of this key in the
(signed) Debian source package already indicates the trust relationship
that's relevant for this purpose, and the end user can always retrieve
additional key signatures from a public keyserver if they really want
them.

I use:

gpg --export --armor --export-options export-minimal  \
> debian/upstream/signing-key.asc

to generate this file for my packages.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Daniel Kahn Gillmor]

Control: clone 732445 -2
Control: reassign -2 developers-reference
Control: retitle -2 developers-reference should encourage verification of 
upstream cryptographic signatures
Control: retitle 732445 debian-policy should encourage verification of upstream 
cryptographic signatures

Hi Bill--

On Sat 2014-03-22 12:19:52 -0400, Bill Allombert wrote:
> While I agree that verification of upstream cryptographic signatures
> is important, your patch mostly documents a tool to perform this
> task, which is not something which belongs to policy in general. 
> Also policy is supposed to document commong practices, so it might
> be a bit too soon to document debian/upstream-signing-key.pgp.

You're quite right about my original bug report having been premature
and over-specific for debian-policy; sorry about that.  The current
preferred location is now debian/upstream/signing-key.pgp (binary form)
or debian/upstream/signing-key.asc (ascii-armored).  And i agree with
you that the specifics of how it's done might not need to be in policy.

However, as a matter of policy debian really should explicitly encourage
developers to check whatever cryptographic verifications are offered by
upstream, via whatever methods are available.  And the use of
debian/upstream/signing-key.* is becoming more common:

 http://codesearch.debian.net/search?q=signing-key.pgp

shows over 370 hits, probably at least a hundred packages, including
important packages like apache2 and openssh and libgcrypt11.

So i'm leaving the policy bug open because i think it's worth mentioning
the suggestion.  This is useful for both debian and our upstreams.

So i'm leaving this bug open with a plea for simpler/more generic text
that encourages developers to do cryptographic verification, but i'm not
sure what section of policy that should be in, if it's not concretely
tied to debian/watch the way this specific patch was.

any suggestions?  i'm happy to write a couple sentences if someone wants
to point me at the right section or subsection for context.

> Maybe at this stage, the recommendation would be better placed in
> developers-reference.

thanks, that's a good idea.

i've cloned the bug to suggest its inclusion in developers-reference,
where the specific and concrete language is probably more appropriate.

 --dkg


pgpQbj2yKAK6E.pgp
Description: PGP signature

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Bill Allombert]

On Tue, Dec 17, 2013 at 11:22:38PM -0500, Daniel Kahn Gillmor wrote:
> Package: debian-policy
> Severity: normal
> Tags: patch
> 
> debian-policy should encourage verification of upstream cryptographic
> signatures.
> 
> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>  
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.

Hello Daniel,

While I agree that verification of upstream cryptographic signatures
is important, your patch mostly documents a tool to perform this
task, which is not something which belongs to policy in general. 
Also policy is supposed to document commong practices, so it might
be a bit too soon to document debian/upstream-signing-key.pgp.

Maybe at this stage, the recommendation would be better placed in
developers-reference.

> A proposed patch for debian-policy is attached.

> commit f267cc2134197533bce3af8152aef15217967813
> Author: Daniel Kahn Gillmor 
> Date:   Tue Dec 17 23:15:08 2013 -0500
> 
> Encourage verification of upstream cryptographic signatures
> 
> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
> 
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.
> 
> diff --git a/policy.sgml b/policy.sgml
> index dad8d23..ebe486f 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -2373,8 +2373,31 @@ endif
>distribution as a whole.
>  
>  
> -  
> + 
> +   If the package's upstream source offers detached
> +   cryptographic signatures of their source, it is recommended
> +   to use the pgpsigurlmangle option to locate the
> +   upstream signature file
> +   and  id="debianupstreamsigningkey">debian/usptream-signing-key.pgp
> +   to indicate the acceptable signing key
> +   (see  for details).
> + 
>  
> +  
> +  
> +Upstream signing key: 
> debian/upstream-signing-key.pgp
> + 
> +   If the package's upstream offers cryptographic signatures of
> +   their source, this optional, recommended file should contain
> +   a binary OpenPGP (RFC 4880) keyring consisting of all
> +   OpenPGP keys that the package maintainer considers
> +   acceptable to sign new upstream releases of the software
> +   (see pgpsigurlmangle
> +   from debian/watch for instructions on how to
> +   tell uscan how to find the signatures themselves
> +   when new versions are available).
> + 
> +  
>
>   Generated files list: debian/files
>  


-- 
Bill. 

Imagine a large red swirl here. 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Daniel Kahn Gillmor]

Package: debian-policy
Severity: normal
Tags: patch

debian-policy should encourage verification of upstream cryptographic
signatures.


Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
 
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.

A proposed patch for debian-policy is attached.
commit f267cc2134197533bce3af8152aef15217967813
Author: Daniel Kahn Gillmor 
Date:   Tue Dec 17 23:15:08 2013 -0500

Encourage verification of upstream cryptographic signatures

Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.

debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.

diff --git a/policy.sgml b/policy.sgml
index dad8d23..ebe486f 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -2373,8 +2373,31 @@ endif
   distribution as a whole.
 
 
-  
+	
+	  If the package's upstream source offers detached
+	  cryptographic signatures of their source, it is recommended
+	  to use the pgpsigurlmangle option to locate the
+	  upstream signature file
+	  and debian/usptream-signing-key.pgp
+	  to indicate the acceptable signing key
+	  (see  for details).
+	
 
+  
+  
+Upstream signing key: debian/upstream-signing-key.pgp
+	
+	  If the package's upstream offers cryptographic signatures of
+	  their source, this optional, recommended file should contain
+	  a binary OpenPGP (RFC 4880) keyring consisting of all
+	  OpenPGP keys that the package maintainer considers
+	  acceptable to sign new upstream releases of the software
+	  (see pgpsigurlmangle
+	  from debian/watch for instructions on how to
+	  tell uscan how to find the signatures themselves
+	  when new versions are available).
+	
+  
   
 	Generated files list: debian/files