[ocaml-platform] OPAM: signing the repository

David Sheets dwws2 at cam.ac.uk
Fri Jun 5 11:47:37 BST 2015 

On 06/05/2015 10:59 AM, Hannes Mehnert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA384
>
> Hi all,
>
> After a couple months of research and discussions between Louis
> Gesbert and myself, the proposal for a secured OPAM repository
> (featuring both end-to-end signing, and repository signing), is ready
> for a wider review.

Wow! This is really nice work.

I have a few questions:

1. In your linearity invariants, you say that no key may be removed (1) 
which seems sensible even if inviting a lot of cruft eventually. Then, 
you say that keys can only be modified with a signature (5) and, as a 
special exception, removal of a developer key (exception 2) is allowed. 
What happens when these events occur? Do things get re-signed? Do 
clients have to traverse the repo history to extract old keys to verify 
signatures?

2. Are the default opam root keys compiled into the binary or on-disk? I 
interpreted it both ways from a couple of mentions throughout the doc.

3. How will the uniqueness and time-limitedness of the initial-bootstrap 
key be enforced?

4. Where are RM keys stored in the repo? in keys/dev? keys/root seems to 
contain a list of the keyid/algo/key triples for RMs but there is a 
keyid uniqueness condition...? Could you clarify the distinction between 
a keyid and an author id (user at host)?

5. Can the dev (and RM) identities be designed for extensibility? It 
reads like the key files will just contain a list of key triples right 
now. Could these files contain a single field, e.g. "keys", so that 
others could be added later? Specifically, I would like to attest to my 
GitHub user id so the signatures in the repo can be used by bots to 
authorize simple actions performed by my GitHub user (e.g. rebuild this PR).

Overall, it looks very well thought out! Thanks for putting in so much 
effort to get us this far. I'm very optimistic about this system, now.

David

> The result has just been posted at
> https://opam.ocaml.org/blog/Signing-the-opam-repository/
>
> This thread is intended as the official channel for comments and
> discussion on the proposal above.
>
> Thanks!
>
> Louis Gesbert and Hannes Mehnert
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCQAGBQJVcXMKAAoJELyJZYjffCju+zYQAKJKhnjkVeya4TGgDNjDaVK4
> sgSeZaiqpEwtx7wFIFBoCmDg2s7KfJXXNxI6XmVW93PBhU4mBNT+Xzykkpw5+DcF
> cgtXe3nJqqEqTV/fPJ7FT+uXFJqCcj5CVIzUKAtdKqnKrjU1owdJiaHVIfSXcrEb
> hHJ2Ij1qEWeey/oBXiJrunwQ5QkkxRBQAXdtK+7j9s71ZK7UCuRGi/g1GD/ZMxTL
> 9rMAMSnYggGUMSIhDPOJlAHXd9nHSlv0ME6zt48mQgZ8a3T3+bq/SZrlteRsbHOH
> wJQECa62pa/EpOn57SNEqSwU0rcPKi/6BXwZ/fG4+byZdHLjet8g2zxlO+WUb3PL
> T4y1oeKatKu06f64SU5Ty0EZnG6uABoRj963BKVfQHs1R5VCL3rVXIsdaXiBmecP
> uth3QOehFxHN91NSm0WhMbqd7OnPetIDzpMwjGxw3b9sOzHKOx4YJhpxakYdIpU9
> Yxb61vclRAyTYPFMucXJDjwQSVcDvp9weN5QdFkRoLB+wIwfcyiaheZGvb27O/Ia
> 9gPyVxyO0/S9Rf7sIna5IMoIFqJ4v3J7tfoTJdk3brNftfjZ0bg1ZuolshhnA93G
> 4lgG179pVIsfYMCpmi6II1hV23FzWOFBn4jbgM9hTvVKG+y+Ag704lXVhzygz6Gh
> gCx+wKh/LuI+phhcesw7
> =wOT2
> -----END PGP SIGNATURE-----
> _______________________________________________
> Platform mailing list
> Platform at lists.ocaml.org
> http://lists.ocaml.org/listinfo/platform
>

More information about the Platform mailing list