Arch Package Signing issue getting big on Reddit

songandsilence · 2011-03-22 19:29:21

Why not just publish MD5 and/or SHA1 checksums on the package listing pages, and if the user wants to check the validity of the packages, they'll have the ability to?

If not, it seems good to include in the next version of pacman... something along the lines of "pacman -Si" also displaying MD5 or SHA1 checksum information? I'm no dev, so please don't flame...

Last edited by songandsilence (2011-03-22 19:31:51)

ngoonee · 2011-03-22 23:59:58

songandsilence wrote:

Why not just publish MD5 and/or SHA1 checksums on the package listing pages

Which are just as vulnerable to attack (single point of failure) as the various mirrors.

Implementation of security measures cannot and should not be done haphazardly. In general, opinions which start with "don't you JUST have to..." are not well thought out and do not actually improve security.

The manner in which things may technically be accomplished is discussed on pacman-dev. I don't have the technical competency to verify/understand how well it works, so I can only trust that those who ARE working on it do. I'd say the same applies to most people reading this, hence 'suggestions' of this sort won't really help anything.

Summary? Technical discussion on implementation should be in [pacman-dev]

Mr.Elendig · 2011-03-23 15:04:11

Fun sidenote: 3.rd party signing/certificates are not really safe either...

ssri · 2011-03-23 23:10:38

Mr.Elendig wrote:

Fun sidenote: 3.rd party signing/certificates are not really safe either...

Condoms are not guaranteed 100% safe either.

Last edited by ssri (2011-03-24 02:52:16)

ataraxia · 2011-03-23 23:55:48

FWIW, Dan merged a bunch of package-signing work into pacman's master tree today:

http://mailman.archlinux.org/pipermail/ … 12735.html
http://mailman.archlinux.org/pipermail/ … 12736.html
http://mailman.archlinux.org/pipermail/ … 12737.html

toofishes · 2011-03-24 17:21:26

Since LWN decided to write a rather questionable one-sided article, I've written a rather lengthy but hopefully insightful blog post on this whole debacle: http://www.toofishes.net/blog/real-stor … e-signing/

cactus · 2011-03-24 18:15:54

More reddit linkery: http://www.reddit.com/r/linux/comments/ … e_signing/

mundane · 2011-03-24 18:16:16

Thank toofishes for writing that! I am shocked by the LWN article at how absurdly one-sided it is. They obviously don't realise how much of a troll IG was is and seem to take his word for truth.

Unfortunately, after LWN exposure and the number of hits his blog will get, IG's head will now grow larger than the earth itself

Last edited by mundane (2011-03-24 18:17:37)

Inxsible · 2011-03-24 18:19:18

Does anyone have a link to the LWN article... I'd just like to read it for laughs and to see if its a replica of IG's blog

EDIT : Never mind....I was still reading through Dan's blog post....found the link

Last edited by Inxsible (2011-03-24 18:20:58)

karol · 2011-03-24 18:21:05

Inxsible wrote:

Does anyone have a link to the LWN article... I'd just like to read it for laughs and to see if its a replica of IG's blog

http://lwn.net/SubscriberLink/434990/4c611307c60a7ae1/

tvale · 2011-03-24 18:31:08

Thank you for clarifying things for us. :-)

Inxsible · 2011-03-24 21:01:20

Just found this by IG : http://igurublog.wordpress.com/2011/03/19/had-a-gnuff/

IgnorantGurus' blog wrote:

Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.
Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.

I don't know why he makes everything so personal.

karol · 2011-03-24 21:06:30

Inxsible wrote:

Just found this by IG : http://igurublog.wordpress.com/2011/03/19/had-a-gnuff/
IgnorantGurus' blog wrote:
Gee, why does that scenario sound familiar? It seems these guys must have run into the ‘Brick Arch’. Reading this, I also had a light bulb which has so far been dim, light up. I could never understand Arch dev Allan McRae’s reluctancy to just signing the Arch package database – he really threw all of himself against any attempt to get this implemented. Now the puzzle piece fits – fear of competition. With other pacman variants floating around, I think he knows that if the database is signed, they’ll fly by pacman in terms of features and security. Just a theory, but I’ll bet it’s right. And it would fit in with the Arch lack of care for users – he would rather risk users security than have people abandon HIS project.
Either way, this also got me thinking how Arch is an unusual distro. It’s not like it has a customized DM or much that glues it together. Mostly it is a package manager (and build system) and a few repos. The packages in Arch are little less than tarballs of files to be copied. Creating a spin-off of Arch is a matter of creating a package manager, which is exactly what Gnuffy has done. So it makes sense that the core Arch team might be a little insecure about this state of affairs, but it’s fair play in Linux. This also might explain why their forums are in a such a panic over any dissent – the forum is one of the only real influences they have on the user community, since the software is mostly vanilla and made by other developers outside Arch.
I don't know why he makes everything so personal.

Yes, nobody came with the patches for package signing for years but people will fork Arch - any day now.

There's already a bunch of Arch-based distros to choose from: https://wiki.archlinux.org/index.php/Ar … s_(Active)

Last edited by karol (2011-03-24 21:11:47)

SS4 · 2011-03-24 21:11:06

From what I understand it is only IgnorantGuru and his sock puppet accounts that have kicked up any fuss about this?

cactus · 2011-03-24 21:42:58

SS4 wrote:

From what I understand it is only IgnorantGuru and his sock puppet accounts that have kicked up any fuss about this?

seems so, yes.

Make no mistake, however, of believing that others simply don't care, just because they are not obnoxious.

It isn't that others don't recognize that a lack of package signing is an issue. Even the pacman devs themselves realize it, as you can see from toofishes' mailing list links and historical perspective he provided in his rebuttal.

It is simply that others perhaps do not have enough time, skill, or issue relevance to create the patches necessary to make it happen -- and are not the type of people who feel libel and social blackmail are viable ways to get their way.

Last edited by cactus (2011-03-24 21:45:58)

barzam · 2011-03-24 21:56:11

Great post, Dan.

For what it's worth, I really appreciate the effort the Arch developers put into this distribution. Package signing isn't a big deal for me really but I can still see the point in but I trust you will implement it sooner or later.

bones · 2011-03-25 03:06:48

I don't know sometimes. Where is it written that you have to use a product that you don't like or agree with. If you ain't paying for it then, Don't use it and go use something else and stop complaining, nobody has a gun to your head.
Seems some people just love to bitch about things because they have nothing better to do.

Fingel · 2011-03-25 04:54:52

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

Inxsible · 2011-03-25 04:57:10

Fingel wrote:

Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.

https://bbs.archlinux.org/viewtopic.php … 78#p907878

It seems you are late to the party !!

Fingel · 2011-03-25 04:59:56

Inxsible wrote:

Fingel wrote:
Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.
https://bbs.archlinux.org/viewtopic.php … 78#p907878
It seems you are late to the party !!

Oh hey look at that! I was in Disneyland, can you blame me?
Thanks for the writeup toofishes. Btw here is the reddit link where I found it:
Link

mundane · 2011-03-25 06:53:49

Fingel wrote:

Inxsible wrote:
Fingel wrote:
Dan McGee pitches in:
The real story behind Arch Linux package signing
An even better read than the original link I posted.
https://bbs.archlinux.org/viewtopic.php … 78#p907878
It seems you are late to the party !!
Oh hey look at that! I was in Disneyland, can you blame me?
Thanks for the writeup toofishes. Btw here is the reddit link where I found it:
Link

You were late to that party too

https://bbs.archlinux.org/viewtopic.php … 98#p907898

KimTjik · 2011-03-25 10:31:27

When pacman eventually will include signing I expect to see a blog entry titled: "How I fixed package signing in Arch". Maybe it's already written waiting in queue to be released...

ssri · 2011-03-25 11:40:29

KimTjik wrote:

When pacman eventually will include signing I expect to see a blog entry titled: "How I fixed package signing in Arch". Maybe it's already written waiting in queue to be released...

You cannot deny that there has been an uptick of activity the gpg branch of pacman-git (http://projects.archlinux.org/users/all … log/?h=gpg) after his initial post. Sadly, this whole brouhaha may set a precedent on how to get things "done". The response will transition from "patches welcome" to "talk is cheap, show me the code." Actually, I think the latter is better because it more up-front and less obfuscating.

Last edited by ssri (2011-03-25 11:47:48)

Allan · 2011-03-25 11:45:23

Note that is not new activity. It is mainly cleaning up old patches to apply on the current code base.

e.g. the patch at the top:
author Allan McRae <allan@archlinux.org> 2010-11-24 07:22:32 (GMT)
committer Dan McGee <dan@archlinux.org> 2011-03-23 08:59:21 (GMT)

dolby · 2011-03-25 12:37:28

First there was ESR, RMS, now theres McGee and McRae.

Is Arch ruled by Schotchmen?

Arch Linux

#26 2011-03-22 19:29:21

Re: Arch Package Signing issue getting big on Reddit

#27 2011-03-22 23:59:58

Re: Arch Package Signing issue getting big on Reddit

#28 2011-03-23 15:04:11

Re: Arch Package Signing issue getting big on Reddit

#29 2011-03-23 23:10:38

Re: Arch Package Signing issue getting big on Reddit

#30 2011-03-23 23:55:48

Re: Arch Package Signing issue getting big on Reddit

#31 2011-03-24 17:21:26

Re: Arch Package Signing issue getting big on Reddit

#32 2011-03-24 18:15:54

Re: Arch Package Signing issue getting big on Reddit

#33 2011-03-24 18:16:16

Re: Arch Package Signing issue getting big on Reddit

#34 2011-03-24 18:19:18

Re: Arch Package Signing issue getting big on Reddit

#35 2011-03-24 18:21:05

Re: Arch Package Signing issue getting big on Reddit

#36 2011-03-24 18:31:08

Re: Arch Package Signing issue getting big on Reddit

#37 2011-03-24 21:01:20

Re: Arch Package Signing issue getting big on Reddit

#38 2011-03-24 21:06:30

Re: Arch Package Signing issue getting big on Reddit

#39 2011-03-24 21:11:06

Re: Arch Package Signing issue getting big on Reddit

#40 2011-03-24 21:42:58

Re: Arch Package Signing issue getting big on Reddit

#41 2011-03-24 21:56:11

Re: Arch Package Signing issue getting big on Reddit

#42 2011-03-25 03:06:48

Re: Arch Package Signing issue getting big on Reddit

#43 2011-03-25 04:54:52

Re: Arch Package Signing issue getting big on Reddit

#44 2011-03-25 04:57:10

Re: Arch Package Signing issue getting big on Reddit

#45 2011-03-25 04:59:56

Re: Arch Package Signing issue getting big on Reddit

#46 2011-03-25 06:53:49

Re: Arch Package Signing issue getting big on Reddit

#47 2011-03-25 10:31:27

Re: Arch Package Signing issue getting big on Reddit

#48 2011-03-25 11:40:29

Re: Arch Package Signing issue getting big on Reddit

#49 2011-03-25 11:45:23

Re: Arch Package Signing issue getting big on Reddit

#50 2011-03-25 12:37:28

Re: Arch Package Signing issue getting big on Reddit

Board footer