[ocaml-platform] Secure OPAM?

Anil Madhavapeddy anil at recoil.org
Sun Jan 18 21:11:23 GMT 2015

[+opam-devel to CC]

On 17 Jan 2015, at 15:19, Gabriel Scherer <gabriel.scherer at gmail.com> wrote:
> There is an excellent piece at LWN.net (do consider subscribing to
> this source of quality technical news) about a recent discussion in
> the Python community on how to "secure" their package manager
>  http://lwn.net/SubscriberLink/629426/bf933f7acea8466c/
> The article discusses in particular a library called TUF (The Update
> Framework) that aims to help solve the problem in a
> package-manager-agnostic way.
>  http://theupdateframework.com/
> (this page has some other interesting links, eg. to a similar
> discussion in the Ruby community about RubyGems)
> Is there a reference point to a discussion of the security aspects of
> the OPAM package manager? What I found so far is this 2013 issue by
> Edwin Török on signing packages:
>  https://github.com/ocaml/opam/issues/423
> As far as I know, the current status is that OPAM checks downloaded
> packages against the checksum in opam-repository, so it protects
> against an attacker changing upstream releases, assuming the
> opam-repository remains trusted and there is no man-in-the-middle
> (MITM) attack when the user downloads the metadata -- afaik it uses
> only HTTP currently.

This is certainly something that needs to go on the roadmap sooner
rather than later, and issue #423 is still the place to record
your opinions.

Having a signify-like model to let an OPAM mirroring script sign
distfiles would be a good first step, since the complexities of
managing a per-contributor signing infrastructure would be quite
significantly more work.

Note that the OPAM remote is HTTPS by default since OPAM 1.1.


More information about the Platform mailing list