[ocaml-platform] OPAM: signing the repository

Francois Berenger francois.berenger at inria.fr
Fri Jun 5 14:13:37 BST 2015


On 06/05/2015 02:43 PM, Hannes Mehnert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA384
>
> Hi Edwin,
>
> On 06/05/2015 13:27, Török Edwin wrote:
>> Thanks for working on this, I think this is an important piece in
>> the opam infrastructure.
>>
>> - there's been a few downgrade/MiTM attacks related to legacy
>> cryptography in TLS or Jwt and I'd like to avoid that here.
>
>
> I do plan to support only SHA-2 and RSA > 2048 bits. But yes, it
> should be user-configurable.
>
>
>> - packages with git or local directory as source
>
>
> I do not plan to support signing for git / local dir (although git
> versions might carry an annotated tag with signature)..
>
>
>> - Github PR merge security
>>
>> Author of PR can push more commits (even rewrite the whole PR
>> history with force push) which might create a race condition
>> between reviewing a PR and merging the PR. Can the snapshot bot add
>> a comment to each PR after it finished the Travis build with the
>> Git commit hash?
>
>
> The plan is to have some travis checks here (which creates a checkmark
> icon on success on the commit), and then the snapshot bot which will
> verify that everything is monotonic.
>
>
>> - opam --trace-sigs
>>
>> Perhaps you intended to include this in opam-admin, but would be
>> useful to be able to display the full signature chain, and all the
>> files and signatures involved in it in the client too (think: dig
>> +trace).
>
>
> Agreed.
>
>
>> - how expensive is it to check signatures?

This can easily be parallelized (w/ parmap for example).

>> Will the client check each package's full chain, or just for the
>> root and the packages that are to be installed/upgraded?
>
>
> Before processing data, a client will first verify this data. A client
> will not blindly download and verify all the tarballs, but the
> metadata (opam file) will be verified before used by opam for
> dependency calculation etc.
>
>
> Hannes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCQAGBQJVcZliAAoJELyJZYjffCjulwsQAKlnZwBX5xAPiP9ilQXHKrx2
> NTOAI39NuFOu6M64uKU1mMWiqAT60RXtxErC+d1RiggqpytB3fyFaE58dzLsPEs0
> KKxT0gwlUzytRlLQe2evLePUt/arMYzY6brpNLuCyFYtfDkNuxLL/w5eA6VIdFbC
> k0VtIXuLzFR0oMfEUZJmq/LM/iQbovNmDw1gdt1I0QX+YOocgDJ7LBU+HBMzad7N
> BYhEP/LgFKEFjRygedz/NNlVdn+4cKbRXVplJwqagWRmNaQMGyhbiYtpQx96m5wg
> qOpTubejXhZfGXvG7XXJ4OAYouVxnyQquIx/C2yM2Xm3j6+SjvKjkH/tLkWgUvKQ
> y1JHLLf+VXHy2RzG+Xg2yaXatV/BY3mdRJlCe3LaGlYiX1h4eAxVD5Latp3+S+NQ
> Hm+qn4BqQuiW2QSOAi9utd2coV/23kaIzb5TP+bHKI2aTHlixf4DSfhf3XkNW0LY
> 2BD3HG57vmyiOOF9Irvt6Pla1pBgp85MoKBEcyR9h4mZIuLJ5ECaEYZOvQM3lB4S
> JPDWXKRdLgZBpextwNmLVaReZezK31ytJb5lSdXzZN6XKn1WN/oLUqcEgWhKnG+v
> +AmCZFrCTUxPlMLJaNxNPgOUnPsgbPs/kvufh4R7ceAK3Vp/1INLPpt9xz/B4T7z
> OwpAEAAkV+i/A67bh7Of
> =bghw
> -----END PGP SIGNATURE-----
> _______________________________________________
> Platform mailing list
> Platform at lists.ocaml.org
> http://lists.ocaml.org/listinfo/platform
>

-- 
Regards,
Francois.


More information about the Platform mailing list