You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bigtop.apache.org by Steve Loughran <st...@apache.org> on 2012/02/24 18:59:08 UTC
Fwd: Re: An ASF yum repository?
Henk says that all the stuff in the repos should be signed, somehow...
-------- Original Message --------
Subject: Re: An ASF yum repository?
Date: Fri, 24 Feb 2012 16:08:28 +0100
From: Henk P. Penning <pe...@uu.nl>
To: Steve Loughran <st...@apache.org>
CC: Graham Leggett <mi...@sharp.fm>, Tony Stevenson
<pc...@apache.org>, Apache Infrastructure
<in...@apache.org>
On Fri, 24 Feb 2012, Steve Loughran wrote:
> Date: Fri, 24 Feb 2012 15:47:48 +0100
> From: Steve Loughran <st...@apache.org>
> To: Graham Leggett <mi...@sharp.fm>
> Cc: Tony Stevenson <pc...@apache.org>,
> Apache Infrastructure <in...@apache.org>
> Subject: Re: An ASF yum repository?
[ ... ]
> Apache Bigtop sticks its artefacts out in the right layout -and mirrors these
> out to all the mirrors. Provided the directory trees get copied, it's just
> the signing problem left.
>
> http://www.apache.org/dist//incubator/bigtop/stable/repos/
Hi,
bigtop is distributing unsigned stuff ; see
http://people.apache.org/~henkp/checker/sig.html#user-rvs
for instance
incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
Can you fix that ?
Regards,
Henk Penning
--------------------------------------------------------- _
Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@uu.nl \_/
Re: Fwd: Re: An ASF yum repository?
Posted by Matt Foley <mf...@hortonworks.com>.
RPM files should be signed according to yum and zypper standards, DEB files
should be signed according to apt and juju standards.
For tarballs, there is no standard. I suggest they should be signed via
files in the same directory as the tarballs themselves are published, as
this has been the Apache norm for www.apache.org/dist/. What do you think?
--Matt
On Fri, Feb 24, 2012 at 6:14 PM, Daniel Shahaf <d....@daniel.shahaf.name>wrote:
> Roman Shaposhnik wrote on Fri, Feb 24, 2012 at 17:40:12 -0800:
> > On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <bm...@apache.org> wrote:
> > >> 2. The items with "missing sigs" mentioned in the checker page
> > >> belong to some package repo you publish. It is clear that,
> > >> according to the rules, these packages must be signed, or
> > >> removed.
> > >>
> > >> Regards,
> > >>
> > >> HPP
> > >>
> > >
> > > Sure, since Roman was the release manager I guess he will have to sign
> > > every single file.
> > > I just opened the following ticket:
> > > https://issues.apache.org/jira/browse/BIGTOP-421
> >
> > I'm totally willing to make repositories signed. However, that won't
> stop the
> > script from complaining.
> >
> > Will it be possible to satisfy apache infra requirements with signed
> > apt/yum/zypper repos?
>
> Yes. The point is that releases must be cryptographically signed and
> verifiable. Signing the .asc files in the apt trees DOES NOT guarantee
> that. Signing the releases in the method specific to apt trees does.
>
> Follow the policy, not the scripts that implement it.
>
> > Linux distributions have been using this
> > mechanism to guarantee
> > authenticity of distributed artifacts for at least 7 years by now and
> I'm pretty
> > sure it has passed the test of time as far as infosec policies are
> concerned.
> >
> > Henk, what's your take on this?
> >
> > Thanks,
> > Roman.
>
Re: Fwd: Re: An ASF yum repository?
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Roman Shaposhnik wrote on Fri, Feb 24, 2012 at 17:40:12 -0800:
> On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <bm...@apache.org> wrote:
> >> 2. The items with "missing sigs" mentioned in the checker page
> >> belong to some package repo you publish. It is clear that,
> >> according to the rules, these packages must be signed, or
> >> removed.
> >>
> >> Regards,
> >>
> >> HPP
> >>
> >
> > Sure, since Roman was the release manager I guess he will have to sign
> > every single file.
> > I just opened the following ticket:
> > https://issues.apache.org/jira/browse/BIGTOP-421
>
> I'm totally willing to make repositories signed. However, that won't stop the
> script from complaining.
>
> Will it be possible to satisfy apache infra requirements with signed
> apt/yum/zypper repos?
Yes. The point is that releases must be cryptographically signed and
verifiable. Signing the .asc files in the apt trees DOES NOT guarantee
that. Signing the releases in the method specific to apt trees does.
Follow the policy, not the scripts that implement it.
> Linux distributions have been using this
> mechanism to guarantee
> authenticity of distributed artifacts for at least 7 years by now and I'm pretty
> sure it has passed the test of time as far as infosec policies are concerned.
>
> Henk, what's your take on this?
>
> Thanks,
> Roman.
Re: Fwd: Re: An ASF yum repository?
Posted by Roman Shaposhnik <rv...@apache.org>.
On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <bm...@apache.org> wrote:
>> 2. The items with "missing sigs" mentioned in the checker page
>> belong to some package repo you publish. It is clear that,
>> according to the rules, these packages must be signed, or
>> removed.
>>
>> Regards,
>>
>> HPP
>>
>
> Sure, since Roman was the release manager I guess he will have to sign
> every single file.
> I just opened the following ticket:
> https://issues.apache.org/jira/browse/BIGTOP-421
I'm totally willing to make repositories signed. However, that won't stop the
script from complaining.
Will it be possible to satisfy apache infra requirements with signed
apt/yum/zypper
repos? Linux distributions have been using this mechanism to guarantee
authenticity of distributed artifacts for at least 7 years by now and I'm pretty
sure it has passed the test of time as far as infosec policies are concerned.
Henk, what's your take on this?
Thanks,
Roman.
Re: Fwd: Re: An ASF yum repository?
Posted by Bruno Mahé <bm...@apache.org>.
On 02/24/2012 04:44 PM, Henk P. Penning wrote:
> On Fri, 24 Feb 2012, Bruno Mahé wrote:
>
>> Date: Fri, 24 Feb 2012 22:43:15 +0100
>> From: Bruno Mahé <bm...@apache.org>
>> To: bigtop-dev@incubator.apache.org
>> Cc: Steve Loughran <st...@apache.org>, Henk P. Penning <pe...@uu.nl>
>> Subject: Re: Fwd: Re: An ASF yum repository?
>>
>> Some questions for our dear mentors:
>>
>> * Given that we are targeting a release by end of march, is it ok to let
>> the current convenience artefacts as is but make sure everything will be
>> signed from now on?
>>
>> * The previous convenience packages were not signed but the ones for the
>> coming release will be. That means packages/repositories metadata will
>> contain a signed checksum of the artefacts. Therefore signing files such
>> as
>> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
>>
>> wouldn't achieve anything but make the checker script happy since no
>> user or package management would knows about such signature required by
>> the checker script. Signing any file to make the checker script happy is
>> absolutely fine if it is used by Apache infra to ensure files integrity,
>> but it has be noted no one but package management systems will look at
>> these tarballs. The only thing looking at these signature will be the
>> checker script. So as part of the release process, is signing these
>> tarball for the checker script a requirement?
>
> Yes.
>
> 1. Of course "keeping the checker script happy" isn't the real
> reason, but if that's your motivation : fine.
>
> The real reason is the rule :
>
> Every artifact distributed by the Apache Software Foundation
> should and every new one must be accompanied by one file
> containing an OpenPGP compatible ASCII armored detached
> signature and another file containing an MD5 checksum.
>
> which is motivated here : Why We Sign Releases :
>
> http://www.apache.org/dev/release-signing.html#motivation
>
> The checker just tries to verify that the rules are kept.
>
I absolutely agree with the motivation to sign releases.
But I believe there has been a misunderstanding regarding the way
package manager work.
Signed packages contain the signed checksum of the tarball in their
metadata. And a package manager will only look at that metadata.
A package manager will not look at any signed checksum put in the same
directory as the tarballs. It does not even know how to handle them
because it uses another mechanism.
So following stricto-sensu the apache release-signing page will not
improve or achieve any security at all.
Humans do not interact with these files at all.
If somehow the tarball would not match the signed checkesum from the
package metadata, it would be then detected by the package manager.
So a signed package already enables the following:
"users can make sure that what they received has not been modified in
any way, either accidentally via a faulty transmission channel, or
intentionally (with or without malicious intent)"
So again, any signed checksum put in the same directory as the tarball
will only help making the checker script happy, which is absolutely fine
since this enables the Apache infrastructure team to directly check the
integrity of a file without going through the package managers. But
users/package managers won't even know about it.
> 2. The items with "missing sigs" mentioned in the checker page
> belong to some package repo you publish. It is clear that,
> according to the rules, these packages must be signed, or
> removed.
>
> Regards,
>
> HPP
>
Sure, since Roman was the release manager I guess he will have to sign
every single file.
I just opened the following ticket:
https://issues.apache.org/jira/browse/BIGTOP-421
Re: Fwd: Re: An ASF yum repository?
Posted by "Henk P. Penning" <pe...@uu.nl>.
On Fri, 24 Feb 2012, Bruno Mahé wrote:
> Date: Fri, 24 Feb 2012 22:43:15 +0100
> From: Bruno Mahé <bm...@apache.org>
> To: bigtop-dev@incubator.apache.org
> Cc: Steve Loughran <st...@apache.org>, Henk P. Penning <pe...@uu.nl>
> Subject: Re: Fwd: Re: An ASF yum repository?
>
> Some questions for our dear mentors:
>
> * Given that we are targeting a release by end of march, is it ok to let
> the current convenience artefacts as is but make sure everything will be
> signed from now on?
>
> * The previous convenience packages were not signed but the ones for the
> coming release will be. That means packages/repositories metadata will
> contain a signed checksum of the artefacts. Therefore signing files such
> as
> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
> wouldn't achieve anything but make the checker script happy since no
> user or package management would knows about such signature required by
> the checker script. Signing any file to make the checker script happy is
> absolutely fine if it is used by Apache infra to ensure files integrity,
> but it has be noted no one but package management systems will look at
> these tarballs. The only thing looking at these signature will be the
> checker script. So as part of the release process, is signing these
> tarball for the checker script a requirement?
Yes.
1. Of course "keeping the checker script happy" isn't the real
reason, but if that's your motivation : fine.
The real reason is the rule :
Every artifact distributed by the Apache Software Foundation
should and every new one must be accompanied by one file
containing an OpenPGP compatible ASCII armored detached
signature and another file containing an MD5 checksum.
which is motivated here : Why We Sign Releases :
http://www.apache.org/dev/release-signing.html#motivation
The checker just tries to verify that the rules are kept.
2. The items with "missing sigs" mentioned in the checker page
belong to some package repo you publish. It is clear that,
according to the rules, these packages must be signed, or
removed.
Regards,
HPP
> On 02/24/2012 09:59 AM, Steve Loughran wrote:
>>
>> Henk says that all the stuff in the repos should be signed, somehow...
>>
>> -------- Original Message --------
>> Subject: Re: An ASF yum repository?
>> Date: Fri, 24 Feb 2012 16:08:28 +0100
>> From: Henk P. Penning <pe...@uu.nl>
>> To: Steve Loughran <st...@apache.org>
>> CC: Graham Leggett <mi...@sharp.fm>, Tony Stevenson
>> <pc...@apache.org>, Apache Infrastructure
>> <in...@apache.org>
>>
>> On Fri, 24 Feb 2012, Steve Loughran wrote:
>>
>>> Date: Fri, 24 Feb 2012 15:47:48 +0100
>>> From: Steve Loughran <st...@apache.org>
>>> To: Graham Leggett <mi...@sharp.fm>
>>> Cc: Tony Stevenson <pc...@apache.org>,
>>> Apache Infrastructure <in...@apache.org>
>>> Subject: Re: An ASF yum repository?
>>
>> [ ... ]
>>
>>> Apache Bigtop sticks its artefacts out in the right layout -and
>>> mirrors these
>>> out to all the mirrors. Provided the directory trees get copied, it's
>>> just
>>> the signing problem left.
>>>
>>> http://www.apache.org/dist//incubator/bigtop/stable/repos/
>>
>> Hi,
>>
>> bigtop is distributing unsigned stuff ; see
>>
>> http://people.apache.org/~henkp/checker/sig.html#user-rvs
>>
>> for instance
>>
>>
>> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
>>
>>
>> Can you fix that ?
>>
>> Regards,
>>
>> Henk Penning
>>
>> --------------------------------------------------------- _
>> Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
>> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
>> Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
>> http://people.cs.uu.nl/henkp/ M penning@uu.nl \_/
>
>
--------------------------------------------------------- _
Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@uu.nl \_/
Re: Fwd: Re: An ASF yum repository?
Posted by Bruno Mahé <bm...@apache.org>.
Some questions for our dear mentors:
* Given that we are targeting a release by end of march, is it ok to let
the current convenience artefacts as is but make sure everything will be
signed from now on?
* The previous convenience packages were not signed but the ones for the
coming release will be. That means packages/repositories metadata will
contain a signed checksum of the artefacts. Therefore signing files such
as
incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
wouldn't achieve anything but make the checker script happy since no
user or package management would knows about such signature required by
the checker script. Signing any file to make the checker script happy is
absolutely fine if it is used by Apache infra to ensure files integrity,
but it has be noted no one but package management systems will look at
these tarballs. The only thing looking at these signature will be the
checker script. So as part of the release process, is signing these
tarball for the checker script a requirement?
On 02/24/2012 09:59 AM, Steve Loughran wrote:
>
> Henk says that all the stuff in the repos should be signed, somehow...
>
> -------- Original Message --------
> Subject: Re: An ASF yum repository?
> Date: Fri, 24 Feb 2012 16:08:28 +0100
> From: Henk P. Penning <pe...@uu.nl>
> To: Steve Loughran <st...@apache.org>
> CC: Graham Leggett <mi...@sharp.fm>, Tony Stevenson
> <pc...@apache.org>, Apache Infrastructure
> <in...@apache.org>
>
> On Fri, 24 Feb 2012, Steve Loughran wrote:
>
>> Date: Fri, 24 Feb 2012 15:47:48 +0100
>> From: Steve Loughran <st...@apache.org>
>> To: Graham Leggett <mi...@sharp.fm>
>> Cc: Tony Stevenson <pc...@apache.org>,
>> Apache Infrastructure <in...@apache.org>
>> Subject: Re: An ASF yum repository?
>
> [ ... ]
>
>> Apache Bigtop sticks its artefacts out in the right layout -and
>> mirrors these
>> out to all the mirrors. Provided the directory trees get copied, it's
>> just
>> the signing problem left.
>>
>> http://www.apache.org/dist//incubator/bigtop/stable/repos/
>
> Hi,
>
> bigtop is distributing unsigned stuff ; see
>
> http://people.apache.org/~henkp/checker/sig.html#user-rvs
>
> for instance
>
>
> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
>
>
> Can you fix that ?
>
> Regards,
>
> Henk Penning
>
> --------------------------------------------------------- _
> Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
> Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
> http://people.cs.uu.nl/henkp/ M penning@uu.nl \_/