2:28 p.m.
Hi People!
I've got this working, but I'm wondering if we really need it or not.
I mean, as far as I can tell, this part of the XEmacs Package System
has never worked, and it was introduced in 1998. Obviously it was
never seen as important enough to do anything about.
Do the package-index files need to be PGP signed? Does anyone know
what the reasoning was behind the idea in the first place?
Another thing that concerns me is that if I apply the patch to fix the
PGP stuff and then start signing the package-index files it'll bugger
up any XEmacsen that is pre-PGP-patch.
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
--
|---<Steve Youngs>---------------<GnuPG KeyID: 9E7E2820>---|
| XEmacs - It's not just an editor. |
| It's a way of life. |
|------------------------------------<youngs(a)xemacs.org>---|
3:02 p.m.
>>>> "SY" == Steve Youngs
<youngs(a)xemacs.org> writes:
SY> Another thing that concerns me is that if I apply the patch to
SY> fix the PGP stuff and then start signing the package-index
SY> files it'll bugger up any XEmacsen that is pre-PGP-patch.
Why is that? Oh, because the current code looks for the signature,
and if it's not there, asks if it's OK---but if it were there but
wrong, it would barf?
What you could do is change the name of the signature, that way only
patched XEmacsen would know that the signature exists. Put in an
option not to use it.
As for why have it, I think paranoia is a good thing. I thought it
was totally historical when the chair of the Information Science
graduate program here SirCam'ed us on an internal mailing list. But
free software has vulnerabilities too, and if people want to be
careful we should provide them with the facilities.
--
Institute of Policy and Planning Sciences http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Don't ask how you can "do" free software business;
ask what your business can "do for" free software.
4:24 p.m.
|--==> "SJT" == Stephen J Turnbull <stephen(a)xemacs.org> writes:
>>>>>"SY" == Steve Youngs
<youngs(a)xemacs.org> writes:
SY> Another thing that concerns me is that if
I apply the patch to
SY> fix the PGP stuff and then start signing the package-index
SY> files it'll bugger up any XEmacsen that is pre-PGP-patch.
SJT> Why is that? Oh, because the current code looks for the signature,
SJT> and if it's not there, asks if it's OK---but if it were there but
SJT> wrong, it would barf?
It barfs because the verification code is wrong, and there is no way
for the user to tell it not to verify the sig. And from what I can
tell, even if the code did work it would only work for PGP 2.6. If
you used PGP 5 or GnuPG, you'd be sunk.
My code will only attempt to verify the sig if
'package-get-require-signed-base-updates' is non-nil and a sig
exists. It also sets the PGP version for MailCrypt depending on what
you have installed.
SJT> What you could do is change the name of the signature, that way only
SJT> patched XEmacsen would know that the signature exists. Put in an
SJT> option not to use it.
So maintain 2 separate package-index files... a signed one for the
bleeding edge crowd, and an unsigned one for everyone else? Possible,
but I'd have to automate it so as to reduce the chances of them
getting messed up or out of sync.
--
|---<Steve Youngs>---------------<GnuPG KeyID: 9E7E2820>---|
| XEmacs - It's not just an editor. |
| It's a way of life. |
|------------------------------------<youngs(a)xemacs.org>---|
6:01 p.m.
At 12:28 AM 11/30/01 +1000, Steve Youngs wrote:
I've got this working, but I'm wondering if we really need it
or not.
I mean, as far as I can tell, this part of the XEmacs Package System
has never worked, and it was introduced in 1998. Obviously it was
never seen as important enough to do anything about.
Do the package-index files need to be PGP signed? Does anyone know
what the reasoning was behind the idea in the first place?
Another thing that concerns me is that if I apply the patch to fix the
PGP stuff and then start signing the package-index files it'll bugger
up any XEmacsen that is pre-PGP-patch.
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
I would suggest its always been pointless functionality, but I know there
are the paranoid that disagree.
andy
10:51 p.m.
On Fri, 30 Nov 2001, Steve Youngs wrote:
I've got this working, but I'm wondering if we really need it
or not.
It would be nice to have, but it's probably not *necessary*.
I mean, as far as I can tell, this part of the XEmacs Package System
has never worked, and it was introduced in 1998. Obviously it was
never seen as important enough to do anything about.
I was under the impression that it was being fixed by the maintainer of
the package system, actually, though I can't think /why/ I "knew" this
to be the case. ;)
Do the package-index files need to be PGP signed? Does anyone know
what the reasoning was behind the idea in the first place?
Confidence in distribution. Since Emacs Lisp can run is the context of a
user, including root, it's a security risk to just drag any old Lisp of
the 'net and run it.
PGP signing the package index means that the MD5 in there is very hard
to spoof for an attacker, which means, in turn, that the package system
will legitimately bitch when a modified package is downloaded.
[...]
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
Implement.:)
Daniel
--
A stupid man's report of what a clever man says can never be accurate, because
he unconsciously translates what he hears into something he can understand.
-- Bertrand Russell
4:53 p.m.
Steve Youngs <youngs(a)xemacs.org> writes:
Do the package-index files need to be PGP signed?
At the moment it is definitely causing more trouble than it is worth.
It has got all kind of weird failure modes and got broken for good
when the PGP format changed with PGP5 and pgp 2.6 didn't cope
gracefully.
Does anyone know
what the reasoning was behind the idea in the first place?
The reasoning was that by signing the MD5s in the package index,
you could be reasonable sure of the origins of the packages.
Another thing that concerns me is that if I apply the patch to fix
the
PGP stuff and then start signing the package-index files it'll bugger
up any XEmacsen that is pre-PGP-patch.
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
If you have working code that does reliable GPG verification I suggest
having a separate signature (or a separate package-index.gpg file
which is signed) so as to not hurt older XEmacsen and which newer once
would pick up if it existed.
Later we can then switch the default to require the .gpg file.
Jan
8393
days inactive
8394
days old
5 comments
5 participants
participants (5)
-
Andy Piper -
Daniel Pittman -
Jan Vroonhof -
Stephen J. Turnbull -
Steve Youngs