[Dev] New packaging standards/policy discussion

Luke g4jc at openmailbox.org
Fri Jul 31 22:17:43 GMT 2015

On 07/31/2015 01:24 PM, Michał Masłowski wrote:
>> 2) Sign stuff manually using SHA512sum and openssl's whirlpool (see my
>> PKGBUILDs for an example of this fail-safe); and import any GPG
>> signatures from upstream as needed, adding them to validpgpkeys field
>> for GPG verification.
> Fix the tools so no manual work is needed here.
Upstream bug/patch submitted:

It will be as easy as including
in the PKGBUILD.

>> 3) Sign the PKGBUILD with GPG:
>> gpg --default-key [YOURKEYID] -b PKGBUILD
> Another manual step; also puts non-source files in the git repo.
> No code review is in this procedure.
I don't see any way around this yet. You could do this in batch if desired.
parallel gpg --default-key [yourkey] -b ::: PKGBUILD

If people are using abs it pulls PKGBUILD and related source files,
adding a .sig allows abs users to validate the PKGBUILD was created by
the claimed PKBUILD Maintainer. I consider this better than unsigned
package builds since it wouldn't take much to alter a PKGBUILD and
re-push. Then someone would need to go back and trace git commits to
figure out who. Even then unless the git is signed it'll be very hard to
determine how that happened since everyone is using the same git user,
and it would be trivially easy to spoof username in gitconfig should an
attacker actually gain access.

Regarding the code review, thankfully gpg is pretty straight forward
since we can use --verify.
The only unreviewed portion is my two hash skip functions since it is
not possible to hash-check a file you will be altering. (in this case
the GPG signature which is created /after/ the PKGBUILD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150731/41c04142/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150731/41c04142/attachment.sig>

More information about the Dev mailing list