[ocaml-platform] OPAM: signing the repository
hannes at mehnert.org
Fri Jun 5 13:43:14 BST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 06/05/2015 13:27, Török Edwin wrote:
> Thanks for working on this, I think this is an important piece in
> the opam infrastructure.
> - there's been a few downgrade/MiTM attacks related to legacy
> cryptography in TLS or Jwt and I'd like to avoid that here.
I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it
should be user-configurable.
> - packages with git or local directory as source
I do not plan to support signing for git / local dir (although git
versions might carry an annotated tag with signature)..
> - Github PR merge security
> Author of PR can push more commits (even rewrite the whole PR
> history with force push) which might create a race condition
> between reviewing a PR and merging the PR. Can the snapshot bot add
> a comment to each PR after it finished the Travis build with the
> Git commit hash?
The plan is to have some travis checks here (which creates a checkmark
icon on success on the commit), and then the snapshot bot which will
verify that everything is monotonic.
> - opam --trace-sigs
> Perhaps you intended to include this in opam-admin, but would be
> useful to be able to display the full signature chain, and all the
> files and signatures involved in it in the client too (think: dig
> - how expensive is it to check signatures?
> Will the client check each package's full chain, or just for the
> root and the packages that are to be installed/upgraded?
Before processing data, a client will first verify this data. A client
will not blindly download and verify all the tarballs, but the
metadata (opam file) will be verified before used by opam for
dependency calculation etc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Platform