[opam-devel] [ocaml-platform] Secure OPAM?
Anil Madhavapeddy
anil at recoil.org
Sun Jan 18 21:11:23 GMT 2015
[+opam-devel to CC]
On 17 Jan 2015, at 15:19, Gabriel Scherer <gabriel.scherer at gmail.com> wrote:
>
> There is an excellent piece at LWN.net (do consider subscribing to
> this source of quality technical news) about a recent discussion in
> the Python community on how to "secure" their package manager
> http://lwn.net/SubscriberLink/629426/bf933f7acea8466c/
>
> The article discusses in particular a library called TUF (The Update
> Framework) that aims to help solve the problem in a
> package-manager-agnostic way.
> http://theupdateframework.com/
> (this page has some other interesting links, eg. to a similar
> discussion in the Ruby community about RubyGems)
>
> Is there a reference point to a discussion of the security aspects of
> the OPAM package manager? What I found so far is this 2013 issue by
> Edwin Török on signing packages:
> https://github.com/ocaml/opam/issues/423
>
> As far as I know, the current status is that OPAM checks downloaded
> packages against the checksum in opam-repository, so it protects
> against an attacker changing upstream releases, assuming the
> opam-repository remains trusted and there is no man-in-the-middle
> (MITM) attack when the user downloads the metadata -- afaik it uses
> only HTTP currently.
This is certainly something that needs to go on the roadmap sooner
rather than later, and issue #423 is still the place to record
your opinions.
Having a signify-like model to let an OPAM mirroring script sign
distfiles would be a good first step, since the complexities of
managing a per-contributor signing infrastructure would be quite
significantly more work.
Note that the OPAM remote is HTTPS by default since OPAM 1.1.
-anil
More information about the opam-devel
mailing list