Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <tv@duh.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-pkg
Date: 07/26/2005 12:32:25
On Mon, 25 Jul 2005, Todd Vierling wrote:

> In reality, it's not hard to sign an archive that uses stream-based
> compression after the fact without extracting to the filesystem.  It just
> requires a bit more CPU to do two decompression passes (one to create
> signatures/hashes, and one to stream data to be recompressed) and one
> compression pass (to rebuild the tarball with the signature up front).

Right. This is basically my thought on the matter. Same goes for
checking, if you have issues with extracts overwriting files or
whatever. At any rate, it leaves it in the clients' hands, where it
belongs, I feel. Even the streamers, well, store it in a temp file!
(Or use ZIP. Sheesh. :-))

> If pkg_add understands the archive format internally (thus eliminating any
> "hidden data" attacks caused by invoking an external tar or pax or
> what-have-you), then just signing/hashing every physical file in the archive
> is directly analogous to signing the tarball externally.

Right. In fact, I'd imagine a bunch of this functionality would become
part of a library shared by pkg_add, pax, and friends.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA