[Dev] New packaging standards/policy discussion

Luke g4jc at openmailbox.org
Thu Jul 30 22:13:32 GMT 2015 

Hello Everyone,
I have come up with a more secure packaging standard which I am
currently using for my PCR packages.
This is in relation to bug #747 (https://labs.parabola.nu/issues/747) in
which Emulatorman suggested I post the idea here for discussion.

Currently the build process is as follows:
-----
0) Create an SSH key with any algorithm, and submit to developer mailing
list for approval.
1) Create PKGBUILD
2) Sign stuff using MD5
https://wiki.parabola.nu/Package_maintainer_guide#MD5sum_checking
3) git add PKGBUILD; git commit -m "my pkgbuild is being added"; git push
4) sudo libremakepkg / sudo libremakepkg -n your-i686-chroot
5) librestage pcr (or whichever folder your working in)
6) librerelease (binary gets GPG signed)
------

The new build process I am proposing requires only a few additional
steps, and increases the integrity of our PKGBUILDs with GPG and better
hashing algorithms.

0) Create an SSH key with a minimum standard of RSA-4096 to ensure the
server stays secure, password to protect the key also highly
recommended. Then send to mailing list for approval.
ssh-keygen -t rsa -b 4096

1) Create PKGBUILD

2) Sign stuff manually using SHA512sum and openssl's whirlpool (see my
PKGBUILDs for an example of this fail-safe); and import any GPG
signatures from upstream as needed, adding them to validpgpkeys field
for GPG verification.

3) Sign the PKGBUILD with GPG:
gpg --default-key [YOURKEYID] -b PKGBUILD

4) Enable GPG signing in your gitconfig so that our commits are also
signed. I've added this one-liner to the wiki already and fauno is also
using it.
Then simply: git add -f PKGBUILD PKGBUILD.sig; git commit -m "pushing my
signed package with signed commit"; git push (same as before)

4) sudo libremakepkg / sudo libremakepkg -n your-i686-chroot  
[optionally, I would like the binary GPG signing to be done here since
it is closest to the build process see  Bug #567]

5) librestage pcr

6) librerelease

The reason for these changes are 1) MD5 is weak
(www.stopusingmd5now.com) and 2) Anyone could tamper with our PKGBUILDs.
This allows for PKGBUILDers to be responsible for their files as well as
provides integrity in case of a server-side compromise. Also by using
this method on upstream (GPG/SHA512/WHIRPOOL) we know that the source
files are exactly as they should be prior to building the binary.

Gentoo has been using a similar method for their ebuilds for sometime,
this simply brings our distro up to their security-hardened standards.

If after discussion, it is agreed that this is a better method - I can
edit the wiki and include this new standard.
I don't think it should be required for older packages but should be
used moving forward.

Thanks for your consideration! :)




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/8e9d142f/attachment.sig>

More information about the Dev mailing list