[ocaml-platform] OPAM: signing the repository
francois.berenger at inria.fr
Fri Jun 5 14:13:37 BST 2015
On 06/05/2015 02:43 PM, Hannes Mehnert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA384
> Hi Edwin,
> On 06/05/2015 13:27, Török Edwin wrote:
>> Thanks for working on this, I think this is an important piece in
>> the opam infrastructure.
>> - there's been a few downgrade/MiTM attacks related to legacy
>> cryptography in TLS or Jwt and I'd like to avoid that here.
> I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it
> should be user-configurable.
>> - packages with git or local directory as source
> I do not plan to support signing for git / local dir (although git
> versions might carry an annotated tag with signature)..
>> - Github PR merge security
>> Author of PR can push more commits (even rewrite the whole PR
>> history with force push) which might create a race condition
>> between reviewing a PR and merging the PR. Can the snapshot bot add
>> a comment to each PR after it finished the Travis build with the
>> Git commit hash?
> The plan is to have some travis checks here (which creates a checkmark
> icon on success on the commit), and then the snapshot bot which will
> verify that everything is monotonic.
>> - opam --trace-sigs
>> Perhaps you intended to include this in opam-admin, but would be
>> useful to be able to display the full signature chain, and all the
>> files and signatures involved in it in the client too (think: dig
>> - how expensive is it to check signatures?
This can easily be parallelized (w/ parmap for example).
>> Will the client check each package's full chain, or just for the
>> root and the packages that are to be installed/upgraded?
> Before processing data, a client will first verify this data. A client
> will not blindly download and verify all the tarballs, but the
> metadata (opam file) will be verified before used by opam for
> dependency calculation etc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
> Platform mailing list
> Platform at lists.ocaml.org
More information about the Platform