[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] (trying to avoid) unpacking before checking signatures
From:       Konstantin Ryabitsev <konstantin () linuxfoundation ! org>
Date:       2017-11-14 15:33:52
Message-ID: 20171114153352.filn4ursskagwy3z () gmail ! com
[Download RAW message or body]

On Tue, Nov 14, 2017 at 01:05:00AM +0000, HW42 wrote:
> > > > It is my intent to deprecate the ability to upload tarballs 
> > > > entirely and
> > > > force everyone to use the same process Linus and Greg use to generate
> > > > tarballs on our end and then use the provided signature to verify it.
> 
> What's the reason for not signing the compressed files in the first
> place? Compressing the files two times and then uploading three
> signatures (for .tar, .tar.xz and .tar.gz) doesn't sound so bad.

Yes it is. Compressing the Linux tarball with xz -9 takes about 20 
minutes on a laptop. Greg, who does 3-4 releases at the same time, is 
not willing to wait 1.5 hours just to generate signatures, especially if 
he's running on battery.

> The compression process is also reproducible. After a bit testing I
> found the parameters which seem to be currently used (see attached
> script). For the last few mainline/stable/longterm releases this works
> fine. But it seems that not long ago the parameters changed (for example
> the 4.11 tar.xz used other parameters).

It's not at all guaranteed to be reproducible. The parameters changed 
because we upgraded the OS and switched to using pixz for better 
parallelized compressing. We may furthermore lazy-recompress older .gz 
archives with better tools than vanilla gzip (e.g. zopfli), because the 
savings may be worth it. Putting the signature on the .tar archive 
allows us to do it and does not tie us to any particular compression 
format.

> If someone wants to play around with generating the archives from git
> you can run the attached script in an checked out linux repository. It
> will verify the git tag so you need the matching key in your gpg
> keyring.

I am kind of surprised that you are going the route of using git if the 
initial conversation started out with not trusting compression software.  
Wouldn't git have much larger complexity than unxz, and therefore using 
it be a net loss in security?

-K

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20171114153352.filn4ursskagwy3z%40gmail.com.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]