Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2017-01-04 Thread Helen Koike 



On 2016-12-12 07:35 PM, Joerg Jaspert wrote:

On 14519 March 1977, Ben Hutchings wrote:


We offer the archives, including security, by rsync too.
And that should stay. Mirrors of security do exist, for good
reasons.[1]
Why does it need to be in the archive?

[...]
I don't know of any other way of getting files back out of dak.


So my first thought it will be. Some random structure on some random
place. Possibly an apache run by DSA or so, but nothing relying on our
mirrors.


Should we request DSA team to setup this then? What is the next step?



As "getting files back out of dak" is simple. dak writes files where we
tell it to, see for example our changelog/metadata exports, buildd
queues, etc which don't live on the usual mirror network.

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-12-12 Thread Joerg Jaspert 
On 14519 March 1977, Ben Hutchings wrote:

>> We offer the archives, including security, by rsync too.
>> And that should stay. Mirrors of security do exist, for good
>> reasons.[1]
>> Why does it need to be in the archive?
> [...]
> I don't know of any other way of getting files back out of dak.

So my first thought it will be. Some random structure on some random
place. Possibly an apache run by DSA or so, but nothing relying on our
mirrors.

As "getting files back out of dak" is simple. dak writes files where we
tell it to, see for example our changelog/metadata exports, buildd
queues, etc which don't live on the usual mirror network.

-- 
bye, Joerg

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-12-12 Thread Ben Hutchings 
On Mon, 2016-12-12 at 22:24 +0100, Joerg Jaspert wrote:
> On 14519 March 1977, Ben Hutchings wrote:
> > > The first is acceptable, the latter is not, for hopefully obvious
> > > reasons.
> > 
> > I meant the latter.  Your reason for objecting is not obvious to
> > me.  I
> > understand that this can't be done for the main archive and all its
> > mirrors, which is fine - this is only important for emabrgoed
> > security
> > updates.
> 
> We offer the archives, including security, by rsync too.
> And that should stay. Mirrors of security do exist, for good
> reasons.[1]
> 
> Why does it need to be in the archive?
[...]

I don't know of any other way of getting files back out of dak.

Ben.

-- 
Ben Hutchings
If at first you don't succeed, you're doing about average.



signature.asc
Description: This is a digitally signed message part

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-12-12 Thread Joerg Jaspert 
On 14519 March 1977, Ben Hutchings wrote:
>> The first is acceptable, the latter is not, for hopefully obvious reasons.
> I meant the latter.  Your reason for objecting is not obvious to me.  I
> understand that this can't be done for the main archive and all its
> mirrors, which is fine - this is only important for emabrgoed security
> updates.

We offer the archives, including security, by rsync too.
And that should stay. Mirrors of security do exist, for good reasons.[1]

Why does it need to be in the archive?


[1] Yes, they are not recommended to users. And if you have access to
the net, don't use them. Use our infrastructure.
But there are enough places where direct net connections simply are not
available, and where a mirror is the only thing you can reach. Loads of
company networks, for example.

And so for all practical purposes there is no difference between main
and security archive in terms of access to files in their archive, or
trying to limit a directory using apache access rules.

-- 
bye, Joerg

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-12-12 Thread Ben Hutchings 
On Mon, 2016-12-12 at 19:30 +0100, Joerg Jaspert wrote:
> On 14506 March 1977, Ben Hutchings wrote:
> 
> > 1. Directory listing is disabled for the directory containing
> >    signature tarballs.
> 
> There is a load of mails and irc discussions mixing together, so one
> question here: Is that supposed to be on some (restricted!) host
> somewhere with a limited apache and stuff - or on a (main or security)
> mirror?
> 
> The first is acceptable, the latter is not, for hopefully obvious reasons.

I meant the latter.  Your reason for objecting is not obvious to me.  I
understand that this can't be done for the main archive and all its
mirrors, which is fine - this is only important for emabrgoed security
updates.

Ben.

-- 
Ben Hutchings
If at first you don't succeed, you're doing about average.



signature.asc
Description: This is a digitally signed message part

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-12-12 Thread Joerg Jaspert 
On 14506 March 1977, Ben Hutchings wrote:

> 1. Directory listing is disabled for the directory containing
>signature tarballs.

There is a load of mails and irc discussions mixing together, so one
question here: Is that supposed to be on some (restricted!) host
somewhere with a limited apache and stuff - or on a (main or security)
mirror?

The first is acceptable, the latter is not, for hopefully obvious reasons.

-- 
bye, Joerg

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-29 Thread Ben Hutchings 
On Tue, 2016-11-29 at 12:23 -0200, Helen Koike wrote:
> 
> On 2016-11-20 09:27 AM, Ben Hutchings wrote:
> > On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:
> > > Add linux, grub2 and fwupdate to publish their signatures by calling
> > > byhand-code-sign as they are supposed to have a *-signed version
> > > 
> > > NOTE: this bypass embargoed updates. The proposed solution for this is by
> > > making dak to publish the *-signed packages automatically, this will be
> > > implemented in incremental basis as we advance to have a base code of the
> > > *-signed packages
> > 
> > [...]
> > 
> > I missed that discussion so I don't understand how that's supposed to
> > work.  Is there a log somewhere?
> > 
> > Ben.
> > 
> 
> Log: http://pastebin.com/bSsUPrrA

OK, so it is only a high-level proposal, not something that we know how
to do.  It would presumably require much bigger changes to dak.

So let's instead work out how to publish signatures without revealing
which package they are for.  I think the following changes would be
almost sufficient:

1. Directory listing is disabled for the directory containing
   signature tarballs.
2. In main source package, debian/rules adds debian/changelog to the
   code-sign tarball.
3. Byhand script generates the signature tarball name thus:
   OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz"
4. In signed source package, preparation script takes main source
   package's changelog as input.

This is not binNMU-safe, so possibly we would need to keep the current
naming for non-security uploads.

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of
comp.compilers



signature.asc
Description: This is a digitally signed message part

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-29 Thread Helen Koike 



On 2016-11-20 09:27 AM, Ben Hutchings wrote:

On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:

Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

NOTE: this bypass embargoed updates. The proposed solution for this is by
making dak to publish the *-signed packages automatically, this will be
implemented in incremental basis as we advance to have a base code of the
*-signed packages

[...]

I missed that discussion so I don't understand how that's supposed to
work.  Is there a log somewhere?

Ben.



Log: http://pastebin.com/bSsUPrrA

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-20 Thread Ben Hutchings 
On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:
> Add linux, grub2 and fwupdate to publish their signatures by calling
> byhand-code-sign as they are supposed to have a *-signed version
> 
> NOTE: this bypass embargoed updates. The proposed solution for this is by
> making dak to publish the *-signed packages automatically, this will be
> implemented in incremental basis as we advance to have a base code of the
> *-signed packages
[...]

I missed that discussion so I don't understand how that's supposed to
work.  Is there a log somewhere?

Ben.

-- 
Ben Hutchings
Lowery's Law:
 If it jams, force it. If it breaks, it needed replacing
anyway.



signature.asc
Description: This is a digitally signed message part

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-15 Thread Helen Koike 
Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

NOTE: this bypass embargoed updates. The proposed solution for this is by
making dak to publish the *-signed packages automatically, this will be
implemented in incremental basis as we advance to have a base code of the
*-signed packages

Contributions:
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

To test it, after building the package (grub, linux or fwupdate) create
a file called ${package}-code-sign_${version}_${arch}.tar.xz
with the efi images or kernel modules to be signed

After building the package, add the file in the changes file:

> changestool ${package}-code-sign_${version}_${arch}.changes addrawfile 
> ${package}-code-sign_${version}_${arch}.tar.xz

Edit the .changes file to replace the double dashes by "byhand optional"

> sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand 
> optional ${package}-code-sign_${version}_${arch}.tar.xz/g" 
> ${package}-code-sign_${version}_${arch}.changes

Sign the .changes file
> gpg --clearsign ${package}-code-sign_${version}_${arch}.changes
> mv ${package}-code-sign_${version}_${arch}.changes.asc 
> ${package}-code-sign_${version}_${arch}.changes

Add to uncheck queue
> cp -r ../* /srv/dak/queue/unchecked/

Process the package
> dak process-upload -d /srv/dak/queue/unchecked
---
 config/debian-security/dak.conf | 24 
 config/debian/dak.conf  | 21 +
 2 files changed, 45 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f342a55..dbf5395 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -127,6 +127,30 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 10322cc..6de05f2 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,27 @@ AutomaticByHandPackages {
 Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
 Source "tag-overrides";
 Section "byhand";
-- 
2.7.4