[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Reproduce-devel] [task #15345] Automatically using backup tarball repos

From: Boud Roukema
Subject: [Reproduce-devel] [task #15345] Automatically using backup tarball repository
Date: Mon, 29 Jul 2019 09:02:55 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Follow-up Comment #1, task #15345 (project reproduce):

Is it correct that as of commit da1123c, hashes to check tarball 
validity are only provided for python packages?

grep "h=" reproduce/software/make/*.mk

only finds the python hashes. I'd agree that python packages are
probably the most likely to be risky, although lower level routines
are at risk of having exploits too. Access to a user shell is a big 
step towards accessing root.

I think that a necessary element of automatically using backup tarballs 
would be having checksums for these. Using a mix of different URLs forces
the user to implicitly associate a primary trust/confidence value to the
individual or
group providing the overall package, since s/he won't be able to make
serious judgments on dozens of individual websites. This overlaps with the
general issue of "prefer-native-libraries" reproducibility
<> versus exact reproducibility.
The more that goes through a
trusted community with fully transparent well-defined pipelines and
and decision making (such as Debian), the more trust the user can have in
being secure.
(A quote from the last of those four articles: _"Computational Trust applies 
the human notion of trust to the digital world, that is seen as malicious
rather than
cooperative."_ I think that's fair enough, in the sense that crackers' robots,

and incompetent annoying robots, are very much real in cyberspace.)

The python checksums appear to have 64 hexadecimal characters, with two pairs
split off,
so my guess is that they're sha256sum checksums. Shifting to sha512sum would
probably be
safer (disclaimer: I'm not an encryption expert).

Anyway, my recommendation would be to, at least, have checksums for all
downloaded packages
that are not from the native distribution. A separate, though related, issue,
would be
to have some sort of systematic link to security alerts/updates. Again, this
is something
way beyond anything I'm experienced in.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]