[ocaml-platform] OPAM: signing the repository

Hannes Mehnert hannes at mehnert.org
Fri Jun 5 13:43:14 BST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Hi Edwin,

On 06/05/2015 13:27, Török Edwin wrote:
> Thanks for working on this, I think this is an important piece in
> the opam infrastructure.
> 
> - there's been a few downgrade/MiTM attacks related to legacy
> cryptography in TLS or Jwt and I'd like to avoid that here.


I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it
should be user-configurable.


> - packages with git or local directory as source


I do not plan to support signing for git / local dir (although git
versions might carry an annotated tag with signature)..


> - Github PR merge security
> 
> Author of PR can push more commits (even rewrite the whole PR
> history with force push) which might create a race condition 
> between reviewing a PR and merging the PR. Can the snapshot bot add
> a comment to each PR after it finished the Travis build with the
> Git commit hash?


The plan is to have some travis checks here (which creates a checkmark
icon on success on the commit), and then the snapshot bot which will
verify that everything is monotonic.


> - opam --trace-sigs
> 
> Perhaps you intended to include this in opam-admin, but would be
> useful to be able to display the full signature chain, and all the
> files and signatures involved in it in the client too (think: dig
> +trace).


Agreed.


> - how expensive is it to check signatures?
> 
> Will the client check each package's full chain, or just for the
> root and the packages that are to be installed/upgraded?


Before processing data, a client will first verify this data. A client
will not blindly download and verify all the tarballs, but the
metadata (opam file) will be verified before used by opam for
dependency calculation etc.


Hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJVcZliAAoJELyJZYjffCjulwsQAKlnZwBX5xAPiP9ilQXHKrx2
NTOAI39NuFOu6M64uKU1mMWiqAT60RXtxErC+d1RiggqpytB3fyFaE58dzLsPEs0
KKxT0gwlUzytRlLQe2evLePUt/arMYzY6brpNLuCyFYtfDkNuxLL/w5eA6VIdFbC
k0VtIXuLzFR0oMfEUZJmq/LM/iQbovNmDw1gdt1I0QX+YOocgDJ7LBU+HBMzad7N
BYhEP/LgFKEFjRygedz/NNlVdn+4cKbRXVplJwqagWRmNaQMGyhbiYtpQx96m5wg
qOpTubejXhZfGXvG7XXJ4OAYouVxnyQquIx/C2yM2Xm3j6+SjvKjkH/tLkWgUvKQ
y1JHLLf+VXHy2RzG+Xg2yaXatV/BY3mdRJlCe3LaGlYiX1h4eAxVD5Latp3+S+NQ
Hm+qn4BqQuiW2QSOAi9utd2coV/23kaIzb5TP+bHKI2aTHlixf4DSfhf3XkNW0LY
2BD3HG57vmyiOOF9Irvt6Pla1pBgp85MoKBEcyR9h4mZIuLJ5ECaEYZOvQM3lB4S
JPDWXKRdLgZBpextwNmLVaReZezK31ytJb5lSdXzZN6XKn1WN/oLUqcEgWhKnG+v
+AmCZFrCTUxPlMLJaNxNPgOUnPsgbPs/kvufh4R7ceAK3Vp/1INLPpt9xz/B4T7z
OwpAEAAkV+i/A67bh7Of
=bghw
-----END PGP SIGNATURE-----

More information about the Platform mailing list