headers
Gary King | 23 May 2007 22:52
Favicon
Gravatar

ASDF-Install patch to allow installation of unsigned packages

The following patch splits download-files-for-package into download- 
source-for-package and download-signature-for-package; alters install  
and verify-gpg-signature so that the latter now calls download- 
signature-for-package. Added a restart-case in download-signature-for- 
package so that we can still install unsigned packages.'

I'd like to push this out sometime this week unless someone sees a  
problem...

[misterx:~/darcs/asdf-install] gwking% darcs diff -u asdf-install/ 
installer.lisp
--- old-asdf-install/asdf-install/installer.lisp        2007-05-23  
16:28:17.000000000 -0400
+++ new-asdf-install/asdf-install/installer.lisp        2007-05-23  
16:28:17.000000000 -0400
 <at>  <at>  -152,63 +152,76  <at>  <at> 
(defun download-link-for-signature (url)
    (concatenate 'string url ".asc"))
-(defun download-files-for-package (package-name-or-url)
+(defun download-source-for-package (package-name-or-url)
    (multiple-value-bind (package-url package-file)
        (download-url-to-temporary-file
         (download-link-for-package package-name-or-url))
-    (if (verify-gpg-signatures-p package-name-or-url)
-       (multiple-value-bind (signature-url signature-file)
-           (download-url-to-temporary-file
-            (download-link-for-signature package-url))
-         (declare (ignore signature-url))
-         (values package-file signature-file))
-       (values package-file nil))))
(Continue reading)

Permalink | Reply | 7 comments |
headers
Todd | 24 May 2007 17:23
Favicon

Re: ASDF-Install patch to allow installation of unsigned packages

Gary King <gwking <at> metabang.com> writes:

> The following patch splits download-files-for-package into download- 
> source-for-package and download-signature-for-package; alters install  
> and verify-gpg-signature so that the latter now calls download- 
> signature-for-package. Added a restart-case in download-signature-for- 
> package so that we can still install unsigned packages.'
>
> I'd like to push this out sometime this week unless someone sees a  
> problem...

I don't claim to be an expert on asdf-install, but this (allowing to
install unsigned packages) seems directly counter to the spirit of it.
Quoting from its cliki page:

   Because cCLan download links can be edited by anyone, we require
   that all packages are accompanied by detached PGP signatures.

It doesn't try to force everyone to build up a web of trust, etc, so
it allows you to install if something goes wrong verifying the
signature, but that's different from allowing people to publish
packages without signing them at all.  If you permit the latter, then
you make things much harder for those who _do_ want to verify
signatures.

I looked at the mailing list archive, and it looks like this idea
started because someone tried to install the MD5 package, but the
signature was missing, and the install failed.  That was as it should
have been (in my view), and the proper way to address that is to email
the author/publisher and ask them to sign it.  I've done that, and the
(Continue reading)

Permalink | Reply | 6 comments |
headers
Andreas Fuchs | 24 May 2007 18:03
Gravatar

Re: ASDF-Install patch to allow installation of unsigned packages

Todd wrote:
> I don't claim to be an expert on asdf-install, but this (allowing to
> install unsigned packages) seems directly counter to the spirit of it.

I'd like to second this. I suggest that instead of circumventing
asdf-install's already pretty thin layer of security features, it might
be more useful to promote mechanisms that ensure these features are not
forgotten by developers. (Shameless self-promotion: CLAPPA, which is due
to launch in a few weeks, disallows adding a package that isn't validly
signed by a known key; these keys can be downloaded from the clappa
service itself.)

Cheers,
--

-- 
Andreas Fuchs, (http://|im:asf <at> |mailto:asf <at> )boinkor.net, antifuchs

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 0 comments |
headers
Gary King | 24 May 2007 19:40
Favicon
Gravatar

Re: ASDF-Install patch to allow installation of unsigned packages

Hi Todd and Andreas,

I see your point regarding requiring a license file but I'm not sure  
that I agree because ASDF-Install already has several "loopholes":

* you can set *verify-gpg-signatures* to nil or to a list of trusted  
locations
* you can choose a restart around an invalid or untrusted signature

In this case, I know and trust Kevin Rosenberg and was willing to  
take the risk and get the software even though it wasn't signed. I  
didn't like ASDF-Install thinking it knew better than me. Without the  
patch, I'm forced to download the software, unpack it, move it to the  
right place, setup symbolic links, etc.

To my mind, a consistent ASDF-Install is one that allows people to  
skip all of these checks (with verification). It makes no sense to  
allow software to be installed with an  invalid signature but prevent  
it from being installed with a missing one. Are you arguing that all  
of these restarts be expunged from ASDF-Install?

--
Gary Warren King, metabang.com
Cell: (413) 885 9127
Fax: (206) 338-4052
gwkkwg on Skype * garethsan on AIM

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
(Continue reading)

Permalink | Reply | 4 comments |
headers
Zach Beane | 24 May 2007 19:48
Gravatar

Re: ASDF-Install patch to allow installation of unsigned packages

Gary King <gwking <at> metabang.com> writes:

> In this case, I know and trust Kevin Rosenberg and was willing to  
> take the risk and get the software even though it wasn't signed.

It's not *Kevin Rosenberg* you have to trust, it's *cliki*.

Zach

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 2 comments |
headers
Gary King | 24 May 2007 20:10
Favicon
Gravatar

Re: ASDF-Install patch to allow installation of unsigned packages

On May 24, 2007, at 1:48 PM, Zach Beane wrote:

> Gary King <gwking <at> metabang.com> writes:
>
>> In this case, I know and trust Kevin Rosenberg and was willing to
>> take the risk and get the software even though it wasn't signed.
>
> It's not *Kevin Rosenberg* you have to trust, it's *cliki*.

Well, ..., I guess it's the b9 domain because I can see what file  
ASDF-Install is trying to download and I can see it's missing.

I still don't see why this step should be treated any differently  
than any other step of the process.
--
Gary Warren King, metabang.com
Cell: (413) 885 9127
Fax: (206) 338-4052
gwkkwg on Skype * garethsan on AIM

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 1 comment |
headers
Tim Daly, Jr. | 24 May 2007 20:23

Re: ASDF-Install patch to allow installation of unsigned packages

Hi Gary,

I'd just like to add my small voice to the chorus:

On May 24, 2007, at 10:40 AM, Gary King wrote:

>
> I see your point regarding requiring a license file but I'm not sure
> that I agree because ASDF-Install already has several "loopholes":
>
> * you can set *verify-gpg-signatures* to nil or to a list of trusted
> locations
> * you can choose a restart around an invalid or untrusted signature
>

It seems to me that these are choices made by the person installing a  
package, whereas making a package without a signature is a choice  
made by the person providing the package.  I'm okay with opting out  
of the signature verification on my end if it's expedient, but I'm  
not really down with a potential proliferation of unsigned packages.   
In my world, an unsigned package should not be called ASDF-INSTALLable.

Cheers,
Tim

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
(Continue reading)

Permalink | Reply | 0 comments |
headers
Christophe Rhodes | 24 May 2007 20:41
Favicon

Re: ASDF-Install patch to allow installation of unsigned packages

Gary King <gwking <at> metabang.com> writes:

> On May 24, 2007, at 1:48 PM, Zach Beane wrote:
>
>> Gary King <gwking <at> metabang.com> writes:
>>
>>> In this case, I know and trust Kevin Rosenberg and was willing to
>>> take the risk and get the software even though it wasn't signed.
>>
>> It's not *Kevin Rosenberg* you have to trust, it's *cliki*.
>
> Well, ..., I guess it's the b9 domain because I can see what file  
> ASDF-Install is trying to download and I can see it's missing.

You guess it's the b9 domain, but you don't know if it's actually run
by Kevin, because there could be all sorts of DNS poisoning going on,
and the hostname could be resolving to some completely different host.

> I still don't see why this step should be treated any differently  
> than any other step of the process.

Think of it as socially engineering a safer place for everyone; kind
of like mass immunization.

Cheers,

Christophe

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
(Continue reading)

Permalink | Reply | 0 comments |
headers
GP lisper | 24 May 2007 20:26

Re: ASDF-Install patch to allow installation of unsigned packages


>Gary Warren King, metabang.com
>Without the patch, I'm forced to download the software, unpack it,
>move it to the right place, setup symbolic links, etc.

So your laziness and whining is justification for compromising our
security?  I'll keep this in mind on _any_ patches from you, and
suggest the group consider removing you from influence here.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 2 comments |
headers
Todd | 24 May 2007 21:54
Favicon

Re: ASDF-Install patch to allow installation of unsigned packages

"Tim Daly, Jr." <tim <at> tenkan.org> writes:

> Hi Gary,
>
> I'd just like to add my small voice to the chorus:
>
> On May 24, 2007, at 10:40 AM, Gary King wrote:
>>
>> I see your point regarding requiring a license file but I'm not sure
>> that I agree because ASDF-Install already has several "loopholes":
>>
>> * you can set *verify-gpg-signatures* to nil or to a list of trusted
>> locations
>> * you can choose a restart around an invalid or untrusted signature
>
> It seems to me that these are choices made by the person installing a
> package, whereas making a package without a signature is a choice
> made by the person providing the package.  I'm okay with opting out
> of the signature verification on my end if it's expedient, but I'm
> not really down with a potential proliferation of unsigned packages.
> In my world, an unsigned package should not be called ASDF-INSTALLable.

Yes, this, particularly the last statement, is the crux of what I was
trying to say.  It seems that other people have gotten the (I think)
mistaken impression that the patch makes it so that any unsigned
package will be installed, whether the user wanted to verify
signatures, or not.  That would be truly awful, but isn't the case, I
think (though I haven't looked in detail).  What I'm talking about is
trivial in comparison, but still worth thinking about, IMHO.
(Continue reading)

Permalink | Reply | 4 comments |

Gmane