[ocaml-platform] Secure OPAM?

[Hannes Mehnert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On 01/18/2015 21:11, Anil Madhavapeddy wrote:
> This is certainly something that needs to go on the roadmap sooner 
> rather than later, and issue #423 is still the place to record your
> opinions.
> 
> Having a signify-like model to let an OPAM mirroring script sign 
> distfiles would be a good first step, since the complexities of 
> managing a per-contributor signing infrastructure would be quite 
> significantly more work.

Just as a short news-item - haskell debian build host got compromised
yesterday - https://news.ycombinator.com/item?id=9054795
I do think we need to keep the build hosts/repository hosts outside of
the trust chain, and push signing all the way up to the authors (or
rather maintainers).

> Note that the OPAM remote is HTTPS by default since OPAM 1.1.

That sounds great - where are the trust anchors taken from? Systemwide
(if so, from where/how/why)?

Once the dust clears up here, I plan to work on implementing tuf
(instead of signify/PGP, it seems like I'm biased towards TLS/X.509
these days to be able to use in-house tools).


Hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJU4dI+AAoJELyJZYjffCjuGZMP/11wi9xt1g944EltKpMsusLG
JRELq49Pde6ziAmw8Oo/rGAxY2N7nGWZg/1gC6izCFw8K0UV+g+6h51noNxJgdUY
4AvsZC7uhlvIhVOz1YbTgnJrPk0YMnG7mV+vY3IVwMaQ2iLczfMmUsJ55bVrFmwb
BavB0rfBVDA7ZsoAtgnHuYBAQ6Sab/IKk1EaG12icA0UrVUHkJ98QZ7o47AJD2yh
bSQItmV55tnzU1wUQtWCyXxz7B4FDdSPeazZyH+LRpeOHKx0OCqG4sChkV1bV5zQ
9EGheF0GTY0LH77YPnuzVgiSIFgt/9ZQzBsKP/Bt81k0ueFdLAbm3KEQqcljIWyA
Bls4/hybb+9M4+n5ejptC8LNoUIiBrmsE8o0CEIMLYABTe9o4iaa7bAeloMtibBW
SD7Xc4JOODIgwk53G3qW5ZIF9fslz4l8BWNSt9OfNLHaWXuNiyL18QM6j0K4ot/Z
cOzSoy1IEU6tVNzslz2BMyoPTO2znzcRg4qdjiZcU93CWQyOldDBpRe1ANwXj51Q
/6PX4LIMOVUv0ZQx10IcOazyZ4S8IvihWZZuPghmscPb8ALnuLRrPzA3lCQQtRAR
997RtqpzCsDiWZo4/OeGEpFTWKzILqHCJqpSJtvJ9eV4PBv7bprT8OOQI1nEA/MU
ZuEwkTbocNlW4L2KXC0Q
=8a5A
-----END PGP SIGNATURE-----