Date: Sun, 14 Jun 2020 01:06:41 +0200
From: Wolf <wolf@wolfsden.cz>
To: Maxwell Rees <maxcrees@me.com>
Cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: How to protect repository's private key?
Message-ID: <20200613230641.muuz6ombwesu5p5r@wolfsden.cz>
References: <20200613212426.kqtzbohhnfme4lhn@wolfsden.cz>
 <EF5EF49E-2FDD-43AC-9AE8-F56881A37B17@me.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="5ukdj7pbo7zxofwl"
Content-Disposition: inline
In-Reply-To: <EF5EF49E-2FDD-43AC-9AE8-F56881A37B17@me.com>


--5ukdj7pbo7zxofwl
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2020-06-13 16:52:42 -0500, Maxwell Rees wrote:
> [..]
> the strategy you describe is basically what I have encoded in software
> that I've been developing called APK Foundry.
> [..]

Is that somewhere available so that I can take a peek? Searching for
`APK Foundry' gave be bunch of android-related pages.

> It sounds like abuild-gzsplit needs to be fixed then; you should file
> an issue on alpine/abuild.git.=20

I've done that already [0] :) . The issue is that abuild-gzsplit
explicitly checks for names of entries [1], which broke when they were
switched to use PaxHeaders in 660f793d6de6291204ba044e03b37826d2e78e88
[2]. Sadly I do not have enough knowledge to be confident enough to put
forward a patch for this.

[0] https://gitlab.alpinelinux.org/alpine/abuild/-/issues/9999
[1] https://gitlab.alpinelinux.org/alpine/abuild/-/blob/master/abuild-gzspl=
it.c#L36
[2] https://gitlab.alpinelinux.org/alpine/abuild/-/commit/660f793d6de629120=
4ba044e03b37826d2e78e88

As a side note, would you know if there is a reason why abuild does not
have any tests? Like, this would be found by *any* test suite checking
basic functionality. Is it matter of ideology or just no one had time to
write them?

> > How is this issue usually solved? What approach does official Alpine
> > repository takes? What approach do people with private repositories use?
>=20
> I can't speak for Alpine but Ad=E9lie doesn't have mitigations for this
> in place yet; it is my hope that we will eventually adopt my software
> to fix that. As far as I know most developers with private
> repositories use either lxc/lxd, docker-abuild, or just build directly
> on the host (eww) and don't really consider these issues.=20

That's... sad state of things. I will probably end-up with patched
abuild that will just not call abuild-sign as a temporary workaround.

Do you think it would be useful to actually have such a flag as an
option (=3D=3D should I try to do it in proper way and upstream it)?

W.

--=20
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

--5ukdj7pbo7zxofwl
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE7BIrb0FxyZaks1p7hTP5S2N55TgFAl7lXAAACgkQhTP5S2N5
5ThaNQ//YmIwmG/aq5sNMVmCyUNw6IBZByw7weF/nI3tTrfe2/jhvSb6Os2Gig46
4y3yQW0lt54EnaG8JE7W7ogdPPo5Euaqs7SM7ZfSuXM0hCuSJFbRnPNWDJhGRkGh
TYwdveyLu517qspLfT1K20+nmSMuyXFQCgBJzTkI0nOiAAynF3ZXI+kdVEK8p0if
W5Y7/ICyfKPaIMLK/t6vE7i2fkaB2ajBdlDu/EZMDc+wY6zzr61ygpAcGbrhB1WV
uUjowVQTPKwSjY+05IoCWJ7lODQ1786tJJWwx23VWug08seS2h+cB2h79zUbDVTA
BY92mFrzjF2D6QZsFNdKQM0xJMKfHi5tfleJ5sk0ZoSqqdVf4QdsyI1jb+ya02y4
GhrvLH47C2c0Loo/BI84IISP3k6bTTlvJlDso2YM1xT+/BPsspkX052QahRQ6Y8x
2vOD3i68UxT/I5tz5OiooiEoTrBrt3OWZ7B0XHJu6WjXmL+Fv9/7VXb+ZqMCsGPZ
8dRA5raJ3gZorfy76cxihEEqIfBuNwIGwJa4QD/R6I0f+3ULIOJwkOATMztAVXyU
jS87DREfLswqEY87dH0U5SE0UysFoT5S9sVCr4ZQ2FnYt//VA1jlwL/jq6viQh6h
TN76T/waPtmkk4XXpgR/GaG+TtjoJ1OkFABYhP8+C12X78phEGs=
=tPZ4
-----END PGP SIGNATURE-----

--5ukdj7pbo7zxofwl--