Am Dienstag, 17. Juli 2012, 22:15:04 schrieb Marcus Hüwe:
On 2012-07-17 21:45:21 +0200, Adrian Schröter wrote:
Am Dienstag, 17. Juli 2012, 21:13:33 schrieb Marcus Hüwe:
On 2012-07-17 17:47:07 +0200, Marcus Meissner wrote:your
On Tue, Jul 17, 2012 at 05:31:40PM +0200, Marcus Hüwe wrote:
Hi,
some days ago darix and I had a small discussion about verifying the integrity of the downloaded packages which are used for local builds. The idea is that we add a checksum for each package to the buildinfo xml so that a client/osc can "easily" check if the downloaded file is corrupted. For instance we could add the hdrmd5 to buildinfo (this would require only a small change in the backend) or alternatively we add the md5 of the whole package to the buildinfo (this would probably require a bigger change in the backend). The advantage of the latter is that it is much easier to verify for the client (but then I don't think there are many clients which deal with the buildinfo at all...).
Any opinions?:)
I thought there is RPM key checking done already? At least it asks me for the keys..
This could be reused for this.
Yes currently osc checks the rpm signature but this is only true for rpms. We cannot verify the integrity for deb packages or arch packages. Thus it would help if we have some hash value which can be used for checking the package (or in case of the hdrmd5 that at least some "parts" of the downloaded file are correct).
Also the current rpm key checking just "assures" integrity of the package - nothing more (IMHO because we just download a key from the api and check the rpm).
but the user needs to decide if he trusts the project or not. That is the important security thingy here.
Hmm well that can be easily implemented for all binarytypes - we just need walk through the buildinfo's path elements and ask the user. This doesn't change the fact that osc current rpm signature check only assures integrity (IMHO).
Where do you see a security problem?
However, our plan is to prepare SHA sums by the signer. It could be used for your usecase. But that means all rpms (and actually debs should) would be verified twice, because you can't skip the security verification.
If it's implemented in the signer is there a way to assign SHA sums to imported binary packages, too (like for imported Debian:5.0 packages) (it would be nice if all packages in the buildinfo carry a checksum attribute)?
It would double IO load here and would not make the build faster...
What would help here would be store if an rpm got verified in the cache. So the next build could skip it.
We would probably only do the check once the package is downloaded.
And why not doing the gpg check at that point of time as you need to do it anyway? -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org