Thread: Contributed packages and trust problem ?
Dear all, here is a question on which I'd like to get your opinion. Giuseppe Sacco contributed today a build of the debian packages for PowerPC architecture based on our Debian Source packages. As he is a member of the debian project, I think we can consider him as a trusty person. But what about other persons that may contribute builds for other architectures ? Did you faced this "problem" in the past ? Is everybody ok to upload his files on snake (I vote yes) ? Another thing I wanted to talk about since days concerns signing of our packages. Is there something done for the moment ? Shall someone sign the files ? Shall every packager sign its own package ? I'm currently looking to what's done in Debian and will give you some feedback on it. Regards, Raphaël
> -----Original Message----- > From: Raphaël Enrici [mailto:blacknoz@club-internet.fr] > Sent: 09 August 2003 19:14 > To: pgadmin-hackers@postgresql.org > Subject: [pgadmin-hackers] Contributed packages and trust problem ? > > > Dear all, > > here is a question on which I'd like to get your opinion. > Giuseppe Sacco > contributed today a build of the debian packages for PowerPC > architecture based on our Debian Source packages. As he is a > member of > the debian project, I think we can consider him as a trusty > person. But > what about other persons that may contribute builds for other > architectures ? Did you faced this "problem" in the past ? Never considered it in the past as I always did the builds. I think it is a valid problem though. Is there any way we cansign the source code such that when it's compiled we can verify that it was unmodified source? > Is everybody ok to upload his files on snake (I vote yes) ? > Another thing I wanted to talk about since days concerns > signing of our > packages. Is there something done for the moment ? Shall someone sign > the files ? Shall every packager sign its own package ? I'm currently > looking to what's done in Debian and will give you some > feedback on it. What did you have in mind, a pgp sig for each file? I don't see that as a problem for each packager to create. Regards, Dave.
Dave Page wrote: >>-----Original Message----- >>From: Raphaël Enrici [mailto:blacknoz@club-internet.fr] >>Sent: 09 August 2003 19:14 >>To: pgadmin-hackers@postgresql.org >>Subject: [pgadmin-hackers] Contributed packages and trust problem ? >> >> >>Giuseppe Sacco >>contributed today a build of the debian packages for PowerPC >>architecture based on our Debian Source packages. As he is a >>member of >>the debian project, I think we can consider him as a trusty >>person. But >>what about other persons that may contribute builds for other >>architectures ? Did you faced this "problem" in the past ? >> >> >Never considered it in the past as I always did the builds. I think it is a valid problem though. Is there any way we cansign the source code such that when it's compiled we can verify that it was unmodified source? > Never heard about something like this.... >>Is there something done for the moment ? Shall someone sign >>the files ? Shall every packager sign its own package ? I'm currently >>looking to what's done in Debian and will give you some >>feedback on it. >> >> >What did you have in mind, a pgp sig for each file? I don't see that as a problem for each packager to create. > > As RPM and DEB packages integrates gpg signatures, I just wanted to know if their were a pgp/gpg key global to the pgAdmin team, something that was used to sign the files of the project like binaries, sources, etc. I'm ok to sign deb package by myself. And wanted to know if you used by the past to sign the files ? For example the source tarball and win32 packages. Regards, Raphaël
It's rumoured that Raphaël Enrici once said: > Dave Page wrote: > >>>-----Original Message----- >>>From: Raphaël Enrici [mailto:blacknoz@club-internet.fr] >>>Sent: 09 August 2003 19:14 >>>To: pgadmin-hackers@postgresql.org >>>Subject: [pgadmin-hackers] Contributed packages and trust problem ? >>> >>Never considered it in the past as I always did the builds. I think it >>is a valid problem though. Is there any way we can sign the source code >>such that when it's compiled we can verify that it was unmodified >>source? >> > Never heard about something like this.... No, me neither. Perhaps it'll make a topic for my dissertation... >>What did you have in mind, a pgp sig for each file? I don't see that as >>a problem for each packager to create. >> >> > As RPM and DEB packages integrates gpg signatures, I just wanted to > know if their were a pgp/gpg key global to the pgAdmin team, something > that was used to sign the files of the project like binaries, sources, > etc. I'm ok to sign deb package by myself. > And wanted to know if you used by the past to sign the files ? For > example the source tarball and win32 packages. No, there is no 'global' key. That would probably be pretty insecure. I would think that a pgp/gpg sig from the packager would suffice - it would at least prove that the file hadn't been tampered. Mind you, it doesn't prevent someone packaging their own version and pretending they are the official packager. Perhaps I should sign everything? Regards, Dave.
Dave Page wrote: >It's rumoured that Raphaël Enrici once said: > > >>>What did you have in mind, a pgp sig for each file? I don't see that as >>>a problem for each packager to create. >>> >>> >>As RPM and DEB packages integrates gpg signatures, I just wanted to >>know if their were a pgp/gpg key global to the pgAdmin team, something >>that was used to sign the files of the project like binaries, sources, >>etc. I'm ok to sign deb package by myself. >>And wanted to know if you used by the past to sign the files ? For >>example the source tarball and win32 packages. >> >> > >No, there is no 'global' key. That would probably be pretty insecure. I >would think that a pgp/gpg sig from the packager would suffice - it would >at least prove that the file hadn't been tampered. Mind you, it doesn't >prevent someone packaging their own version and pretending they are the >official packager. Perhaps I should sign everything > Dear Dave, IMHO, you should at least sign the tarball you publish as the beta release and all packagers should verify it against your public key before packaging anything and they also should sign their packages with their own keys. May be we also should publish a link to our personnal public keys or the way to get them. Cheers, Raphaël
> -----Original Message----- > From: Raphaël Enrici [mailto:blacknoz@club-internet.fr] > Sent: 10 August 2003 23:00 > To: Dave Page > Cc: pgadmin-hackers@postgresql.org > Subject: Re: [pgadmin-hackers] Contributed packages and trust > problem ? > > IMHO, you should at least sign the tarball you publish as the beta > release and all packagers should verify it against your public key > before packaging anything and they also should sign their > packages with > their own keys. May be we also should publish a link to our personnal > public keys or the way to get them. OK, I've signed the source tarball for now. Jean-Michel, can you add my PGP key to the website somewhere please: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com mQGiBD7oXUQRBADSc28+GsqyfZ/AQtEJSzRuwyus/g3XRY1cr93nvPFGNHpemxlg h4R82gbXFZ9Urabptmo631BK58aDjAVtzZKeaUFNvV3DhmjlI7oREXSylTwPF+bq FIqiRBut4JE0p4rGu4gGOkuu8eTVj0gpP+x7EdiqG1SJ0xuqD0ITK8ISowCg/1o+ X/gHAW1mGQ3NBx0pc05xVgEEAL6YurrSsSr4bwwIC0kRCLKauPASFjlM9+L/mo9T SsD0cdjOg1bdjmo/z83Dk7V05TEGZBGgLyxT06VWlk11KNV/hL/XcHDJdpN6Dwe0 ieOLg66Cbr1UChyMt4CD4bR1LdXeargN4XD2fMBmOVyvoLaifwWS+7pLcXZpxmQ1 QP6GA/9dwNQtmALgB+/s1/3qRd4F08yyklw5wXY8bFuY4YR1PPof/C4Tmh1+nJ7M 4/e8O6CkEfylRS4Oh9lEfG4S2U3Ti4OqP1DHg5HqkMR7TtrflTypGzIJE1qxlshh O5yoD+/eM/Sun4Swk68lj6w1hqpQf1Hy6iiTdkdOV3uoVa9/ibQdRGF2ZSBQYWdl IDxkcGFnZUBwZ2FkbWluLm9yZz6JAFcEEBECABcFAj7oXUQHCwkIBwMCCgIZAQUb AwAAAAAKCRCWAg4EGhlkOywTAKCHUYxi3UJWMVLpRVk+HSThfgGCFgCg9JEIgink lneCOAnWA8mYCi3nKc+5Ag0EPuhdRBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+2 8W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZS Tz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI6 1Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/Cl WxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgH KXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/3mp wFg+fCsmUCoWynH4tUpdpsVaufNX8mTa2MNzMU2REl2iSNvAYv0KgH2hHADmMQ6A 5PWjl4LTV63chbKMLn98XfCWYeF4MR4uxP9a9yxSukFCMHP1bTibg4KSmRNjjSOI 5y2xIFBvCjRNj6nIjtMbzo40Tmm3asgiB8ACCrowO06ZMsQQcXw5mxzImLZ4pS6f hObOgbjloUBbwQ6BnfDu9d4FFDSJDlV0C61lRfF7H9NcRV3Oz+v/taQHKMrfOGXP fN2ClssKz0xLrNN0lGp+mB/cw3tdiTjj8/6zL+gFh8kS1QUHJzRSUkWbrnAvFhIr 60dX+1CQR8nFhwN1CJqJAEwEGBECAAwFAj7oXUQFGwwAAAAACgkQlgIOBBoZZDvd eACgkA4MoeIJcCZopSQXLvk4zhgJZ28AoLWcPNcpRHL/Qsco+F5exfjKzYYe =YPnc -----END PGP PUBLIC KEY BLOCK----- Regards, Dave.
On Monday 11 August 2003 10:57, Dave Page wrote: > OK, I've signed the source tarball for now. Jean-Michel, can you add my PGP > key to the website somewhere please: No problem. Jean-Michel
On Monday 11 August 2003 10:57, Dave Page wrote: > OK, I've signed the source tarball for now. Jean-Michel, can you add my PGP > key to the website somewhere please: The key is available here: http://snake.pgadmin.org/pgadmin3/pgp/davepage.pgp It is visible in the Installing from source section on the download page. I will finish this section tonight after the beta packages are updated. Cheers, Jean-Michel