search

globalcitizen / lxc-gentoo

lxc-gentoo: Linux Containers Gentoo Guest Template Script
http://globalcitizen.github.com/lxc-gentoo
GNU General Public License v3.0
85 stars 32 forks source link

Add GPG signature and checksum checking #73

Closed specing closed 9 years ago

specing commented 9 years ago

Zzzzzzzzz #38

globalcitizen commented 9 years ago

I like the idea and applaud the effort, but we've been holding out for a 'proper solution' (see https://bugs.gentoo.org/show_bug.cgi?id=453620 for explanation and progress) and accepting this patch means everyone has to add a manual process to their usage.

I guess my resistance to applying this is therefore twofold:

(1) How is this (not) going to work with the emerging 'proper' solution? (2) How can we remove the manual process hassle for current users?

If you can investigate/solve those two issues I'm happy to apply.

specing commented 9 years ago

That bug has been open for over two years now and I don't want people to run unsigned code just because we are waiting on some "proper solution". As for it being manual... well using emerge-webrsync (and you should be using it) with GPG requires manual setup as well (though with seperate gpg directory).

(1) After it finaly emerges after X more years, we'll fix the script. (2) Embed the key into the script?

globalcitizen commented 9 years ago

Sure, we can waive (1). While (2) is really not good practice, you are right that waiting may just be another two years... so... if you want to implement the embedded key, including some form of meaningful failure messages for the case that the key has expired (abort) or the binary is signed by a different key (abort), and some option to override/skip the whole GPG business, I'd be happy to merge. Sorry to be pedantic. :)

specing commented 9 years ago

I only suggested embedding the key because you asked for it, but I don't think that is good practise.

http://www.gentoo.org/doc/en/handbook/2006.0/handbook-x86.xml?full=1#webrsync-gpg

globalcitizen commented 9 years ago

You're right that it's not ideal. Unfortunately, we have a strong competing concern here: we can't assume people are on a Gentoo host, so emerge-webrsync is not something we are able to rely on outside of the container for the purposes of container setup. This is part of the reason why I was waiting for the 'proper solution'... because anything hacky and temporary that meets our portability requirements is by definition hacky and temporary.

specing commented 9 years ago

We would not be relying on emerge-webrsync. I only linked it for the GPG setup instructions, which are "pretty much" the same: gpg --keyserver subkeys.pgp.net --recv-keys 0xBB572E0E2D182910 and you are done

specing commented 9 years ago

... Im going to add this into instructions and provide an env var for alternate GPG home and add signature checking for portage download.

specing commented 9 years ago

done.

specing commented 9 years ago

Zzzzzzzzzz

globalcitizen commented 9 years ago

Sorry I'm stuck in China with crap to nonexistent internet and am quite busy. I'll merge when I get out to Europe in a week or two. It's really that bad. Apologies for the delay!

On 4 April 2015 at 18:14, Fedja Beader notifications@github.com wrote:

Zzzzzzzzzz

— Reply to this email directly or view it on GitHub https://github.com/globalcitizen/lxc-gentoo/pull/73#issuecomment-89545841 .