chicken-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] chicken-install package integrity/signing

From: Mario Domenech Goulart
Subject: Re: [Chicken-users] chicken-install package integrity/signing
Date: Sun, 23 Dec 2018 08:31:56 +0100 
Hi Jason,

On Sun, 23 Dec 2018 00:11:51 +0000 Jason Valencia <address@hidden> wrote:

> Thomas Chust wrote:
>> Hello,
>>
>> implementing package signatures is technically not such a big deal
>> (see the experimental example script here: 
>> https://paste.call-cc.org/paste?id=b5f6d4cce329d48d64eefbe0922b64aebb16a9e5 
>> :-)
>>
>> But we need to decide who should be responsible for signatures and
>> which keys should be trusted by the package manager. The simplest
>> solution would probably be to have one trusted signing key and
>> signatures applied automatically by the package server. However,
>> this is not the most secure solution.
>>
>> The best guarantees for authenticity of the egg code would be given
>> by signatures from the original package authors, however
>> implementing that may require a significant infrastructural overhead
>> to maintain up-to-date lists of current keys and which eggs they are
>> allowed to sign.
>
> Until this is resolved, is anyone aware of good ways to install eggs
> more securely? A couple options come to mind but they seem overkill.
>
>  - Running a local egg mirror with henrietta as it looks like it can
>    fetch over HTTPS
>
>  - Downloading packages with chicken-install -retrieve (to just
>    download instead of installing) and manually inspecting each one

We actually have tarballs for eggs.  They are not used by any tool, so I
guess nobody is really making use of them so far.  Anyway, they are
here: https://code.call-cc.org/egg-tarballs/

They are served via HTTPS and there are checksum files for the tarballs.
They are not signed, though.  There is an index file for each tarball
repository (one per major CHICKEN version).  For example, for CHICKEN 5:
https://code.call-cc.org/egg-tarballs/5/index.gz (gzip-compressed).

The format of the index is:

* The first line is the index format version

* the following lines have this format:
  (<egg> <version> <tarball size> <tarball SHA1 sum> <dependencies> <test 
dependencies>)

I have a very ugly script that generates a Makefile to fetch, unpack and
install egg tarballs.  If you are interested, let me know.

All the best.
Mario
-- 
http://parenteses.org/mario
reply via email to
[Prev in Thread] Current Thread [Next in Thread]