Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 2016-12-12 07:35 PM, Joerg Jaspert wrote: On 14519 March 1977, Ben Hutchings wrote: We offer the archives, including security, by rsync too. And that should stay. Mirrors of security do exist, for good reasons.[1] Why does it need to be in the archive? [...] I don't know of any other way of getting files back out of dak. So my first thought it will be. Some random structure on some random place. Possibly an apache run by DSA or so, but nothing relying on our mirrors. Should we request DSA team to setup this then? What is the next step? As "getting files back out of dak" is simple. dak writes files where we tell it to, see for example our changelog/metadata exports, buildd queues, etc which don't live on the usual mirror network.
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 14519 March 1977, Ben Hutchings wrote: >> We offer the archives, including security, by rsync too. >> And that should stay. Mirrors of security do exist, for good >> reasons.[1] >> Why does it need to be in the archive? > [...] > I don't know of any other way of getting files back out of dak. So my first thought it will be. Some random structure on some random place. Possibly an apache run by DSA or so, but nothing relying on our mirrors. As "getting files back out of dak" is simple. dak writes files where we tell it to, see for example our changelog/metadata exports, buildd queues, etc which don't live on the usual mirror network. -- bye, Joerg
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On Mon, 2016-12-12 at 22:24 +0100, Joerg Jaspert wrote: > On 14519 March 1977, Ben Hutchings wrote: > > > The first is acceptable, the latter is not, for hopefully obvious > > > reasons. > > > > I meant the latter. Your reason for objecting is not obvious to > > me. I > > understand that this can't be done for the main archive and all its > > mirrors, which is fine - this is only important for emabrgoed > > security > > updates. > > We offer the archives, including security, by rsync too. > And that should stay. Mirrors of security do exist, for good > reasons.[1] > > Why does it need to be in the archive? [...] I don't know of any other way of getting files back out of dak. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 14519 March 1977, Ben Hutchings wrote: >> The first is acceptable, the latter is not, for hopefully obvious reasons. > I meant the latter. Your reason for objecting is not obvious to me. I > understand that this can't be done for the main archive and all its > mirrors, which is fine - this is only important for emabrgoed security > updates. We offer the archives, including security, by rsync too. And that should stay. Mirrors of security do exist, for good reasons.[1] Why does it need to be in the archive? [1] Yes, they are not recommended to users. And if you have access to the net, don't use them. Use our infrastructure. But there are enough places where direct net connections simply are not available, and where a mirror is the only thing you can reach. Loads of company networks, for example. And so for all practical purposes there is no difference between main and security archive in terms of access to files in their archive, or trying to limit a directory using apache access rules. -- bye, Joerg
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On Mon, 2016-12-12 at 19:30 +0100, Joerg Jaspert wrote: > On 14506 March 1977, Ben Hutchings wrote: > > > 1. Directory listing is disabled for the directory containing > > signature tarballs. > > There is a load of mails and irc discussions mixing together, so one > question here: Is that supposed to be on some (restricted!) host > somewhere with a limited apache and stuff - or on a (main or security) > mirror? > > The first is acceptable, the latter is not, for hopefully obvious reasons. I meant the latter. Your reason for objecting is not obvious to me. I understand that this can't be done for the main archive and all its mirrors, which is fine - this is only important for emabrgoed security updates. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 14506 March 1977, Ben Hutchings wrote: > 1. Directory listing is disabled for the directory containing >signature tarballs. There is a load of mails and irc discussions mixing together, so one question here: Is that supposed to be on some (restricted!) host somewhere with a limited apache and stuff - or on a (main or security) mirror? The first is acceptable, the latter is not, for hopefully obvious reasons. -- bye, Joerg
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On Tue, 2016-11-29 at 12:23 -0200, Helen Koike wrote: > > On 2016-11-20 09:27 AM, Ben Hutchings wrote: > > On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: > > > Add linux, grub2 and fwupdate to publish their signatures by calling > > > byhand-code-sign as they are supposed to have a *-signed version > > > > > > NOTE: this bypass embargoed updates. The proposed solution for this is by > > > making dak to publish the *-signed packages automatically, this will be > > > implemented in incremental basis as we advance to have a base code of the > > > *-signed packages > > > > [...] > > > > I missed that discussion so I don't understand how that's supposed to > > work. Is there a log somewhere? > > > > Ben. > > > > Log: http://pastebin.com/bSsUPrrA OK, so it is only a high-level proposal, not something that we know how to do. It would presumably require much bigger changes to dak. So let's instead work out how to publish signatures without revealing which package they are for. I think the following changes would be almost sufficient: 1. Directory listing is disabled for the directory containing signature tarballs. 2. In main source package, debian/rules adds debian/changelog to the code-sign tarball. 3. Byhand script generates the signature tarball name thus: OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz" 4. In signed source package, preparation script takes main source package's changelog as input. This is not binNMU-safe, so possibly we would need to keep the current naming for non-security uploads. Ben. -- Ben Hutchings Theory and practice are closer in theory than in practice. - John Levine, moderator of comp.compilers signature.asc Description: This is a digitally signed message part
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 2016-11-20 09:27 AM, Ben Hutchings wrote: On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version NOTE: this bypass embargoed updates. The proposed solution for this is by making dak to publish the *-signed packages automatically, this will be implemented in incremental basis as we advance to have a base code of the *-signed packages [...] I missed that discussion so I don't understand how that's supposed to work. Is there a log somewhere? Ben. Log: http://pastebin.com/bSsUPrrA
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: > Add linux, grub2 and fwupdate to publish their signatures by calling > byhand-code-sign as they are supposed to have a *-signed version > > NOTE: this bypass embargoed updates. The proposed solution for this is by > making dak to publish the *-signed packages automatically, this will be > implemented in incremental basis as we advance to have a base code of the > *-signed packages [...] I missed that discussion so I don't understand how that's supposed to work. Is there a log somewhere? Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway. signature.asc Description: This is a digitally signed message part
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version NOTE: this bypass embargoed updates. The proposed solution for this is by making dak to publish the *-signed packages automatically, this will be implemented in incremental basis as we advance to have a base code of the *-signed packages Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review To test it, after building the package (grub, linux or fwupdate) create a file called ${package}-code-sign_${version}_${arch}.tar.xz with the efi images or kernel modules to be signed After building the package, add the file in the changes file: > changestool ${package}-code-sign_${version}_${arch}.changes addrawfile > ${package}-code-sign_${version}_${arch}.tar.xz Edit the .changes file to replace the double dashes by "byhand optional" > sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand > optional ${package}-code-sign_${version}_${arch}.tar.xz/g" > ${package}-code-sign_${version}_${arch}.changes Sign the .changes file > gpg --clearsign ${package}-code-sign_${version}_${arch}.changes > mv ${package}-code-sign_${version}_${arch}.changes.asc > ${package}-code-sign_${version}_${arch}.changes Add to uncheck queue > cp -r ../* /srv/dak/queue/unchecked/ Process the package > dak process-upload -d /srv/dak/queue/unchecked --- config/debian-security/dak.conf | 24 config/debian/dak.conf | 21 + 2 files changed, 45 insertions(+) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f342a55..dbf5395 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -127,6 +127,30 @@ SuiteMappings "reject oldoldstable"; }; +AutomaticByHandPackages +{ + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; +}; + Dir { Base "/srv/security-master.debian.org/"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 10322cc..6de05f2 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -185,6 +185,27 @@ AutomaticByHandPackages { Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di"; }; + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + "tag-overrides" { Source "tag-overrides"; Section "byhand"; -- 2.7.4