Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 12:46:09 +0200 Xavier Chantry wrote: > > It's all there : > http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg and > there : > http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman > > Come back to us when everything is implemented and working :

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17 June 2010 01:34, Allan McRae wrote: > On 17/06/10 00:48, Guillaume ALAUX wrote: > >> Are the python scripts in the pacbuild package (apple, strawberry, >> queuepackage, waka and uploadpackage) used any more as described in this >> page ? Becaus

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:35 PM, Dimitrios Apostolou wrote: > On Wed, 16 Jun 2010, Dan McGee wrote: >> >> On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou >> wrote: >>> >>> Hey, what do you think about this way of verifying packages? >>> >>> On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: >>>

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, 16 Jun 2010, Dan McGee wrote: On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou wrote: Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to pa

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17/06/10 00:48, Guillaume ALAUX wrote: Are the python scripts in the pacbuild package (apple, strawberry, queuepackage, waka and uploadpackage) used any more as described in this page ? Because some of these scripts point to the old "current" repo

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou wrote: > Hey, what do you think about this way of verifying packages? > > On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: >> >> On another note, an easy but maybe a bit costly way to avoid any MITM >> tampering to packages, is serve *.md5 files

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to packages, is serve *.md5 files for every package through a trusted HTTPS host. Then everyone can query

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Ionuț Bîru wrote: i found this annoying since, debugging is more harder, i have to download the resulted package to test it, send it, wait for the pool to come. is a mess :D even if my system is compromised, we build our packages in clean chroots. The workflow won't be ch

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: The proposed model is based on the web of trust. We would trust on some keys to sign other keys. The main keys would be kept by some high trusty developers. They would sign the public keys of the other developers (and their personal keys too) wi

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 16 June 2010 02:23, Allan McRae wrote: > Just to clarify the build process that goes on here: > > 1) make a clean chroot (mkarchroot - only needs done once) > 2) build package in chroot (makechrootpkg) > 3) upload package to staging area and commit to svn (e.g. testingpkg) > 4) release package

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Just to clarify the build process that goes on here: 1) make a clean chroot (mkarchroot - only needs done once) 2) build package in chroot (makechrootpkg) 3) upload package to staging area and commit to svn (e.g. testingpkg) 4) release package on master server adding it to repo (e.g. db-testing)

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs wrote: > On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: >> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs >> >> wrote: >> > I dont think that repo.db should be signed and it is enough to sign only >> > the >> > packages. As I unders

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: > On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs > > wrote: > > I dont think that repo.db should be signed and it is enough to sign only > > the > > packages. As I understand so far the only reason to sign repo.db file is > > to > > pre

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs wrote: > I dont think that repo.db should be signed and it is enough to sign only > the > packages. As I understand so far the only reason to sign repo.db file is > to > prevent "replay" situations in repos. It's the other way round: signing

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tuesday 15 June 2010 18:47:41 Denis A. Altoé Falqueto wrote: > On Tue, Jun 15, 2010 at 12:34 PM, Denis A. Altoé Falqueto > > wrote: > > On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: > >>> I think that we should avoid signing files remotely. > >> > >> Is there any precise reason?

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 12:34 PM, Denis A. Altoé Falqueto wrote: > On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: >>> I think that we should avoid signing files remotely. >> Is there any precise reason? If it is because "that remote place could be >> compromised" well any dev computer c

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 12:02 PM, Guillaume ALAUX wrote: >> I think that we should avoid signing files remotely. > Is there any precise reason? If it is because "that remote place could be > compromised" well any dev computer could be compromized too ! The main reason is that we would need to kee

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:55, Dimitrios Apostolou wrote: > On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: > >> On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou >> wrote: >> >>> Moreover, instead of building all packages in the private PCs of >>> developers, >>> I think it is preferable to sub

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:46, Dan McGee wrote: > On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX > wrote: > >>How exactly is core and extra database populated? > >> Moreover, instead of building all packages in the private PCs of > > developers > > Packages are not build on developers computers but on

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou wrote: Moreover, instead of building all packages in the private PCs of developers, I think it is preferable to submit PKGBUILDs to build servers (via web interface maybe) and let the serve

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX wrote: >>How exactly is core and extra database populated? >> Moreover, instead of building all packages in the private PCs of > developers > Packages are not build on developers computers but on build machines as > explained here http://wiki.archli

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

>How exactly is core and extra database populated? > Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here http://wiki.archlinux.org/index.php/Pacbuild

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou wrote: > On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: >> >> And keep in mind that package signing per se will not solve this kind >> of problems. Repository database signing is more important for that >> solution, but is a problem in the

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 06/15/2010 04:57 PM, Dimitrios Apostolou wrote: On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of A

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of Arch developers. How exactly is core and extra data

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry wrote: > On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar > wrote: >> >> This is the reason why we need package signing for Pacman.  I'm aware >> that some progress has been made and it's being worked on.  Are there >> any updates? >> > > It's all

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote: > On Sun, 13 Jun 2010 19:48:53 +1000 > Allan McRae wrote: > > > >> > > > > > > This is the reason why we need package signing for Pacman. I'm > > > aware that some progress has been made and it's being worked on. > > > Are there any updat

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar wrote: > > This is the reason why we need package signing for Pacman.  I'm aware > that some progress has been made and it's being worked on.  Are there > any updates? > It's all there : http://projects.archlinux.org/users/allan/pacman.git/log/?h=

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 19:48:53 +1000 Allan McRae wrote: > >> > > > > This is the reason why we need package signing for Pacman. I'm > > aware that some progress has been made and it's being worked on. > > Are there any updates? > > > > Yes... because package signing magically fixes all upstream

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 13/06/10 19:38, Ananda Samaddar wrote: On Sun, 13 Jun 2010 09:58:38 +0200 Thomas Bächler wrote: Am 13.06.2010 02:33, schrieb Alexander Duscheleit: OTOH the original mail was meant more to alert *users* of unrealircd, the maintainer should actually already have been noticed via the bug. I

[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 09:58:38 +0200 Thomas Bächler wrote: > Am 13.06.2010 02:33, schrieb Alexander Duscheleit: > > OTOH the original mail was meant more to alert *users* of > > unrealircd, the maintainer should actually already have been > > noticed via the bug. > > In that case, it seems you cho