James Turnbull <james@lovedthanlost.net> writes:> The MD5 hash for the file is here: > > http://reductivelabs.com/downloads/puppet/puppet-0.24.7rc2.tgz.md5As the one who requested this[0], I''m happy that this is being provided, thanks! This is significantly better than most projects out there already. However, I do think that it could be one step better. The point of providing a md5sum (or even a sha1 sum) of a release tarball is so that those of us downloading it can verify that the sums match locally with what you have provided. This gives us some integrity checking to know that the tarball hasn''t been tampered with in transit (over HTTP that is certainly possible). However, this does not provide us any assurances that the tarball on the reductivelabs.com server has not been messed with. This is actually the more common scenario, someone hacks a webserver and then injects code into a release tarball that everyone downloads and then installs all over their network. This has happened a number of times (Wordpress is the one that I am reminded of), and its a total nightmare to clean up from every side. As someone who takes this tarball and packages it up for Debian for distribution to thousands of people who then deploy it on hundreds of thousands of machines, this freaks me out that I do not have a good way of verifying the release. I would like reductivelabs to also have this phear, so we can resolve it, before it bites us :) The Linux kernel has been doing this since 1999, as its a critical piece of software that cannot be compromised and then distributed. This enables them to revoke a key and publicize it if the machines that distribute the Linux Kernel archives becomes compromised, much easier clean-up process. So how is it possible to provide the cryptographic authenticity that would really ensure that the release tarball that matches that MD5sum is the actual release tarball that reductivelabs is certifying is the correct one? I would suggest doing signed hashes, simply using OpenPGP to sign the MD5 sums, once they have been verified, then providing this signed MD5 file to the world. Its *even better* if whoever is signing the release has exchanged signatures with people in the current Web of Trust, especially someone who is part of the strongly connected set of people, this provides verification of the identity through a trust path of the identity of the person signing the release. The way the Linux Kernel does this is by using a detatched GPG signature, which you can verify easily with gpg --verify. This would be hot! I would be happy to help in this effort, as someone who uses GPG daily for communications, for Debian work and part of the Monkeysphere project[1], I''m particularly interested in having these assurances taken care of the right way! Micah 0. http://projects.reductivelabs.com/issues/show/1777 1. http://monkeysphere.info --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Tue, Dec 09, 2008 at 04:30:36PM -0500, Micah Anderson wrote:> James Turnbull <james@lovedthanlost.net> writes: > > > The MD5 hash for the file is here: > > > > http://reductivelabs.com/downloads/puppet/puppet-0.24.7rc2.tgz.md5 > > As the one who requested this[0], I''m happy that this is being > provided, thanks! This is significantly better than most projects out > there already. However, I do think that it could be one step better. The > point of providing a md5sum (or even a sha1 sum) of a release tarball is > so that those of us downloading it can verify that the sums match > locally with what you have provided. This gives us some integrity > checking to know that the tarball hasn''t been tampered with in transit > (over HTTP that is certainly possible).This also struck me as being useful, but "not quite there yet", because it would have been enough to just paste the checksum in the email since James PGP-signed his email too... ;) A. -- Information is not knowledge Knowledge is not wisdom Wisdom is not truth - Frank Zappa
The Anarcat <anarcat@anarcat.ath.cx> writes:> On Tue, Dec 09, 2008 at 04:30:36PM -0500, Micah Anderson wrote: >> James Turnbull <james@lovedthanlost.net> writes: >> >> > The MD5 hash for the file is here: >> > >> > http://reductivelabs.com/downloads/puppet/puppet-0.24.7rc2.tgz.md5 >> >> As the one who requested this[0], I''m happy that this is being >> provided, thanks! This is significantly better than most projects out >> there already. However, I do think that it could be one step better. The >> point of providing a md5sum (or even a sha1 sum) of a release tarball is >> so that those of us downloading it can verify that the sums match >> locally with what you have provided. This gives us some integrity >> checking to know that the tarball hasn''t been tampered with in transit >> (over HTTP that is certainly possible). > > This also struck me as being useful, but "not quite there yet", because > it would have been enough to just paste the checksum in the email since > James PGP-signed his email too... ;)I''ve created documentation in the ticket[0] on this issue about how to get a release signing key setup and how to get it deployed into the release process for puppet. I am very interested in any comments for how to improve this process, how to make it more clear, or if there are any glaring omissions. I''ve also created a wiki page which details how people who download the archive could cryptographically verify it[1], I''d also be interested in discussion or ideas about this! 0. http://projects.reductivelabs.com/issues/show/1777 1. http://reductivelabs.com/trac/puppet/wiki/VerifyingDownloads --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Tue, Dec 09, 2008 at 06:46:58PM -0500, Micah Anderson wrote:> I''ve created documentation in the ticket[0] on this issue about how to > get a release signing key setup and how to get it deployed into the > release process for puppet. I am very interested in any comments for how > to improve this process, how to make it more clear, or if there are any > glaring omissions. > > I''ve also created a wiki page which details how people who download the > archive could cryptographically verify it[1], I''d also be interested in > discussion or ideas about this! > > 0. http://projects.reductivelabs.com/issues/show/1777 > 1. http://reductivelabs.com/trac/puppet/wiki/VerifyingDownloadsThis is great stuff. I think, however, that it may look overly complicated from a user not too familiar with PGP. It''s basically steps to create a private key specifically to sign the releases. I want to underline that the only step required on new releases is this: $ gpg --homedir $HOME/release_key --detach-sign --output puppet-0.24.7.tar.gz.sign --armor puppet-0.24.7.tar.gz Fairly simple. If that''s too complicated, MD5 sums can also be used, but they must be signed by someone with a PGP key somewhere, and that key must be well place enough in the web of trust for this to work. MD5 sums alone are not enough anymore. They were useful at some point when you were downloading ISOs or big tarballs and wanted to check that the FTP transfer didn''t break anything, but nowadays, it''s mostly useless: if you can corrupt the tarball, you can regen the MD5. A. -- Freedom is being able to make decisions that affect mainly you. Power is being able to make decisions that affect others more than you. If we confuse power with freedom, we will fail to uphold real freedom. - Richard Stallman