[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Reproduce-devel] [task #15345] Automatically using backup tarball repos
[Reproduce-devel] [task #15345] Automatically using backup tarball repository
Mon, 29 Jul 2019 09:02:55 -0400 (EDT)
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Follow-up Comment #1, task #15345 (project reproduce):
Is it correct that as of commit da1123c, hashes to check tarball
validity are only provided for python packages?
grep "h=" reproduce/software/make/*.mk
only finds the python hashes. I'd agree that python packages are
probably the most likely to be risky, although lower level routines
are at risk of having exploits too. Access to a user shell is a big
step towards accessing root.
I think that a necessary element of automatically using backup tarballs
would be having checksums for these. Using a mix of different URLs forces
the user to implicitly associate a primary trust/confidence value to the
group providing the overall package, since s/he won't be able to make
serious judgments on dozens of individual websites. This overlaps with the
general issue of "prefer-native-libraries" reproducibility
<https://cosmo.torun.pl/blog/reproducibility> versus exact reproducibility.
The more that goes through a
trusted community with fully transparent well-defined pipelines and
and decision making (such as Debian), the more trust the user can have in
(A quote from the last of those four articles: _"Computational Trust applies
the human notion of trust to the digital world, that is seen as malicious
cooperative."_ I think that's fair enough, in the sense that crackers' robots,
and incompetent annoying robots, are very much real in cyberspace.)
The python checksums appear to have 64 hexadecimal characters, with two pairs
so my guess is that they're sha256sum checksums. Shifting to sha512sum would
safer (disclaimer: I'm not an encryption expert).
Anyway, my recommendation would be to, at least, have checksums for all
that are not from the native distribution. A separate, though related, issue,
to have some sort of systematic link to security alerts/updates. Again, this
way beyond anything I'm experienced in.
Reply to this item at:
Message sent via Savannah