Received: from out.migadu.com (out.migadu.com [91.121.223.63])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A99BD781B7B
	for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 23:15:09 +0000 (UTC)
Received: (Migadu outbound); Fri, 17 Jan 2020 23:15:08 +0000
Authentication-Results: out.migadu.com; auth=pass (plain)
Received: from wms1-eu-central.migadu.com (wms1-eu-central.migadu.com [172.104.244.218])
	by out.migadu.com (Haraka/2.8.16) with ESMTPSA id 509542A9-C772-436E-9B5E-EF6A8C8C7DA0.1
	envelope-from <ariadne@dereferenced.org> (authenticated bits=0)
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 verify=FAIL);
	Fri, 17 Jan 2020 23:15:08 +0000
MIME-Version: 1.0
Date: Fri, 17 Jan 2020 23:15:08 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: RainLoop/1.12.1
From: "Ariadne Conill" <ariadne@dereferenced.org>
Message-ID: <185d5d5ee06c85855c43c3386bae7e90@dereferenced.org>
Subject: Re: repo pinning, whether to include repository name in pkg [was
 Re: new package format and repository layout changes]
To: "Timo Teras" <timo.teras@iki.fi>, "Drew DeVault" <sir@cmpwn.com>
Cc: "Natanael Copa" <ncopa@alpinelinux.org>,
 ~alpine/devel@lists.alpinelinux.org
In-Reply-To: <20200118001927.3492f70d@vostro.lan>
References: <20200118001927.3492f70d@vostro.lan>
 <20200117093110.13bfdc9f@vostro.lan> <BZY4HPQ7P5IO.32ODJBJGIGRTN@homura>
DKIM-Signature: v=1;a=rsa-sha256;bh=HH9IeW6341X2YcbkldrTzLwOJZO0fjlJQ0EOP918s3g=;c=relaxed/simple;d=dereferenced.org;h=from:subject:date:to;s=default;b=eQ8GwxP9N0euHTLiAIICGu+tM3kJ270VuiSPfIIJ9MIBn+YPip2XXHpgD8a7D0/5ufcEk9OeGixRBIb72I+XwHSEI76IKjMnB7SNCa6OPz2dDlb9REjxxIjD3ToO9bN+11U221IcV/nUH+eVDTp8Atc0OGX3ey7/wPGQJ47tBvQ=

Hello,=0A=0AJanuary 17, 2020 4:19 PM, "Timo Teras" <timo.teras@iki.fi> wr=
ote:=0A=0A> On Fri, 17 Jan 2020 09:06:38 -0500=0A> "Drew DeVault" <sir@cm=
pwn.com> wrote:=0A> =0A>> On Fri Jan 17, 2020 at 9:31 AM, Timo Teras wrot=
e:=0A>> Having said all this. I am still somewhat concerned and thinking=
=0A>> that putting repository name to the package might be useful thing.=
=0A>> But perhaps in should be the originally-built-from-repository and=
=0A>> not the index name.=0A>> =0A>> Does any of you share my concerns th=
at the repo name should be=0A>> signed?=0A>> =0A>> Still NACK on signing =
the repo name. Signed data should be autonomous=0A>> of its original sour=
ce, so long as it's signed it doesn't matter how=0A>> it got to you.=0A> =
=0A> Would you be able to give some reasoning, arguments or use-cases why=
=0A> you think this is the correct approach?=0A=0ADownstream of Alpine, w=
e use apk fetch to compose repositories for=0Acustomers which contain the=
 exact set of packages we provide support=0Afor.  These package sets are =
not aligned with the repository split=0Athat upstream Alpine uses.  It wo=
uld be desirable to retain this=0Afunctionality without having to resign =
the packages.=0A=0AWhile breaking this functionality would only require s=
ome minor=0Arework of our scripts (to resign the packages), it also break=
s the=0Aability to audit the supply chain: our customer cannot verify tha=
t=0Atheir package has actually originated from Alpine if we resign it=0Aa=
t present.  Accordingly, it would be desirable in any case that=0Awe have=
 to rewrite the control section of the package to be able to=0Ainclude a =
signed copy of the previous control section, to ensure that=0Athe supply =
chain audit-ability requirement is preserved.=0A=0ABeing able to compose =
new repositories from existing ones *and*=0Apreserve the original signatu=
res is, unfortunately, for various=0Areasons, a hard requirement for us.=
=0A=0AThanks,=0AAriadne