So my current workflow allows doing everything on soyuz. I tried it
out for a couple of packages, it works well and FWICT it's secure.
Writeup on the setup below as requested on IRC the other day.
Local prerequisites:
- Extra socket must be enabled. In arch, that seems to be the case by
On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
arch-general@archlinux.org> wrote:
> I use only the ssh agent forwarding ("ForwardAgent yes" in
> .ssh/config). On pkgbuild.com I build packages using the *-*-build as
> always. When a package is built, I use a script [1] that
On 17 January 2017 at 08:42, Jerome Leclanche wrote:
> What is the current intended way to sign packages on the pkgbuild.com server?
I don't think there's any.
> I spent the past day setting up agent forwarding
> (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of
On 01/17/17 at 09:42am, Jerome Leclanche wrote:
> What is the current intended way to sign packages on the pkgbuild.com server?
>
> I spent the past day setting up agent forwarding
> (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
> setting it up due to systemd being
What is the current intended way to sign packages on the pkgbuild.com server?
I spent the past day setting up agent forwarding
(https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
setting it up due to systemd being seemingly overzealous about the
gpg-agent socket. I have it
On 03/10/2012 08:12 AM, Kevin Chadwick wrote:
On Mon, 05 Mar 2012 10:42:15 +0100
Florian Pritz wrote:
You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING
and use Optional PackageRequired
Quick question and I'm guessing the answer will be just to wait and
that's fine.
On Mon, 05 Mar 2012 10:42:15 +0100
Florian Pritz wrote:
You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING
and use Optional PackageRequired
Quick question and I'm guessing the answer will be just to wait and
that's fine.
There are just a few packages preventing me from
On 11/03/12 02:12, Kevin Chadwick wrote:
On Mon, 05 Mar 2012 10:42:15 +0100
Florian Pritz wrote:
You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING
and use Optional PackageRequired
Quick question and I'm guessing the answer will be just to wait and
that's fine.
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if
anybody wants to provide an infected package he/she only needs to provide no
signature at all and the package is happily
On 05/03/12 19:39, Christian Hesse wrote:
And even more interesting: Does it make sense to add a new option
'PkgRequired'? This could force valid signatures for packages and make it
optional for database files.
You mean like the PackageRequired option that is already there? Or
you could use
On 05.03.2012 10:39, Christian Hesse wrote:
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if
anybody wants to provide an infected package he/she only needs to provide no
Florian Pritz bluew...@xinu.at on Mon, 05 Mar 2012 10:42:15 +0100:
On 05.03.2012 10:39, Christian Hesse wrote:
Hello everybody,
afaik, database files in official repositories are not signed yet. Are
they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now
if
On 17 June 2010 01:34, Allan McRae al...@archlinux.org wrote:
On 17/06/10 00:48, Guillaume ALAUX wrote:
Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
pagehttp://wiki.archlinux.org/index.php/Pacbuild
On Sun, 13 Jun 2010 12:46:09 +0200
Xavier Chantry chantry.xav...@gmail.com wrote:
It's all there :
http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg and
there :
http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
Come back to us when everything is
On 16 June 2010 02:23, Allan McRae al...@archlinux.org wrote:
Just to clarify the build process that goes on here:
1) make a clean chroot (mkarchroot - only needs done once)
2) build package in chroot (makechrootpkg)
3) upload package to staging area and commit to svn (e.g. testingpkg)
4)
On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
The proposed model is based on the web of trust. We would trust on
some keys to sign other keys. The main keys would be kept by some high
trusty developers. They would sign the public keys of the other
developers (and their personal keys too)
On Tue, 15 Jun 2010, Ionuț Bîru wrote:
i found this annoying since, debugging is more harder, i have to download the
resulted package to test it, send it, wait for the pool to come. is a mess :D
even if my system is compromised, we build our packages in clean chroots.
The workflow won't be
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5 files for every package through a
trusted HTTPS host. Then everyone can query
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5
On 17/06/10 00:48, Guillaume ALAUX wrote:
Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
pagehttp://wiki.archlinux.org/index.php/Pacbuild ? Because some of these
scripts point to the old current
On Wed, 16 Jun 2010, Dan McGee wrote:
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
On Wed, Jun 16, 2010 at 6:35 PM, Dimitrios Apostolou ji...@gmx.net wrote:
On Wed, 16 Jun 2010, Dan McGee wrote:
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net
wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou
On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem in the current workflow of Arch developers.
How exactly is core and extra
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net wrote:
On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on developers computers but on build machines as
explained here http://wiki.archlinux.org/index.php/Pacbuild
On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net wrote:
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on developers computers but on build machines as
explained here
On 15 June 2010 16:46, Dan McGee dpmc...@gmail.com wrote:
On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net
wrote:
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on
On 15 June 2010 16:55, Dimitrios Apostolou ji...@gmx.net wrote:
On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net
wrote:
Moreover, instead of building all packages in the private PCs of
developers,
I think it is
On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs
aleksis.jaunt...@gmail.com wrote:
On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
aleksis.jaunt...@gmail.com wrote:
I dont think that repo.db should be signed and it is enough to
Just to clarify the build process that goes on here:
1) make a clean chroot (mkarchroot - only needs done once)
2) build package in chroot (makechrootpkg)
3) upload package to staging area and commit to svn (e.g. testingpkg)
4) release package on master server adding it to repo (e.g. db-testing)
On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry
chantry.xav...@gmail.com wrote:
On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk
wrote:
This is the reason why we need package signing for Pacman. I'm aware
that some progress has been made and it's being worked on. Are
On Sun, 13 Jun 2010 09:58:38 +0200
Thomas Bächler tho...@archlinux.org wrote:
Am 13.06.2010 02:33, schrieb Alexander Duscheleit:
OTOH the original mail was meant more to alert *users* of
unrealircd, the maintainer should actually already have been
noticed via the bug.
In that case, it
On Sun, 13 Jun 2010 19:48:53 +1000
Allan McRae al...@archlinux.org wrote:
This is the reason why we need package signing for Pacman. I'm
aware that some progress has been made and it's being worked on.
Are there any updates?
Yes... because package signing magically fixes all
On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk wrote:
This is the reason why we need package signing for Pacman. I'm aware
that some progress has been made and it's being worked on. Are there
any updates?
It's all there :
On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote:
On Sun, 13 Jun 2010 19:48:53 +1000
Allan McRae al...@archlinux.org wrote:
This is the reason why we need package signing for Pacman. I'm
aware that some progress has been made and it's being worked on.
Are there any
On Wednesday 28 April 2010 16:39:53 Allan McRae wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG
package signing.
Good to see someone interested in this. I suggest you join the
pacman-dev list where all
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date are still accepted,
but newer ones aren't.
On 30/04/10 01:29, Thomas Bächler wrote:
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date
On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae al...@archlinux.org wrote:
On 30/04/10 01:29, Thomas Bächler wrote:
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more
On Thu, Apr 29, 2010 at 12:40 PM, Allan McRae al...@archlinux.org wrote:
Has anyone had a good look at the other implementations of package signing
(Debian, Fedora, ...) and made a summary of how they handle it?
(Long email ahead, sorry...)
Good idea, indeed. This is what I've found about
Ng Oon-Ee wrote:
Under which circunstances would you envision the need to trust an old,
compromised signature?
New install, dev for a coupl of [extra] packages has already left the
team. Having to recompile everytime a dev leaves the team is additional
(unnecessary) hassle IMO,
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package
signing. Short description follows.
Use case for developers:
1. Dev bulds package with f.e. -sign switch.
2. Dev enters passphrase.
3. makepkg builds the package and creates detached signature (now we
have 2
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package
signing.
Good to see someone interested in this. I suggest you join the
pacman-dev list where all discussion about pacman development occurs.
There is also some
On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package
signing.
Good to see someone interested in this.
Yes, the monthly forum threads were a bit tiring.
I
On 28/04/10 23:52, Ng Oon-Ee wrote:
On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG package
signing.
Good to see someone interested in this.
Yes, the monthly forum
On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote:
On 28/04/10 23:52, Ng Oon-Ee wrote:
On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG
package
signing.
On Wed, 2010-04-28 at 22:03 +0800, Ng Oon-Ee wrote:
On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote:
On 28/04/10 23:52, Ng Oon-Ee wrote:
On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package
On Wed, Apr 28, 2010 at 10:39 AM, Allan McRae al...@archlinux.org wrote:
On 28/04/10 23:32, Aleksis Jauntēvs wrote:
Hello,
The idea is to implement package signing for Arch similar to rpm GPG
package
signing.
Good to see someone interested in this. I suggest you join the pacman-dev
list
On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto
denisfalqu...@gmail.com wrote:
Hi, Allan and Aleksis.
I was thinking about this problem for sometime and the more complex
part is the key distribution and trusting. Now I maybe came to
something usefull.
I'm thinking about a two
On Wed, Apr 28, 2010 at 13:18, Denis A. Altoé Falqueto
denisfalqu...@gmail.com wrote:
I'm thinking about a two way signing process. The dev signs the
package and send it to the server. The server would have a script or a
cron job to verify if the signature is valid and is from someone
trusted
On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote:
I'm thinking about a two way signing process. The dev signs the
package and send it to the server. The server would have a script or a
cron job to verify if the signature is valid and is from someone
trusted [1]. If so, the original signature
On Wed, Apr 28, 2010 at 2:25 PM, Pierre Schmitz pie...@archlinux.de wrote:
On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto
denisfalqu...@gmail.com wrote:
Hi, Allan and Aleksis.
I was thinking about this problem for sometime and the more complex
part is the key distribution and
On Wed, Apr 28, 2010 at 14:32, Denis A. Altoé Falqueto
denisfalqu...@gmail.com wrote:
This could
also cause problems when downloading some package that depends on a
public key that was not downloaded yet.
Adding the keyring to the same rule that prompts you to upgrade pacman
before anything
On Wed, Apr 28, 2010 at 3:30 PM, Florian Pritz
bluew...@server-speed.net wrote:
On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote:
I'm thinking about a two way signing process. The dev signs the
package and send it to the server. The server would have a script or a
cron job to verify if the
Am 28.04.2010 19:18, schrieb Denis A. Altoé Falqueto:
I was thinking about this problem for sometime and the more complex
part is the key distribution and trusting. Now I maybe came to
something usefull.
Finally, someone realizes that. The distrubution and trusting of keys is
in fact the most
On Thu, 2010-04-29 at 00:36 +0200, Linas wrote:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date are still accepted,
but
On Wed, Apr 28, 2010 at 6:37 PM, Linas linas...@ymail.com wrote:
I wrote about this topic ~1 month ago.
You don't need PKCis or distribute the keyrings themselves. GPG supports
transitive trust.
The pacman keyring would be installed by default trusting on whatever keys
a pacman root signature
On 28 April 2010 15:37, Linas linas...@ymail.com wrote:
[snip]
Packages built by you - Add your own key.
[/snip]
Please no, it's way too convenient to be able to do makepkg su -c
pacman -U whatever and not bother with keys or signing. You should
be able to install unsigned packages, maybe with
Am 17.03.2010 01:06, schrieb Linas:
There are several ways to close the gap:
*Always download the package list from ftp.archlinux.org
It's the easier solution, but it only protects against the mirror
operator. Moreover, it increases load on that server and makes it a
single point of failure.
On Tue, Mar 16, 2010 at 19:06, Linas linas...@ymail.com wrote:
I had already this email draft in my head, but Ananda 'Arch Linux security
is still poor' thread, on which the point was also brought up, moved me to
really write it.
First off, there's an implicit level of trust on the package
I had already this email draft in my head, but Ananda 'Arch Linux
security is still poor' thread, on which the point was also brought up,
moved me to really write it.
First off, there's an implicit level of trust on the package software,
no matter which OS you use.
When using Windows, you
On Tue, Mar 16, 2010 at 20:06, Linas linas...@ymail.com wrote:
I had already this email draft in my head, but Ananda 'Arch Linux security
is still poor' thread, on which the point was also brought up, moved me to
really write it.
There's a bug on the tracker about this, please contribute
On 17/03/10 10:06, Linas wrote:
Do you think this is a good idea? Which solution do you prefer?
And most important, what would be needed to reach there?
There has been discussions on the pacman-dev mailing list and is even
partial implementation for package signing available. You should
63 matches
Mail list logo