[rb-general] distributed package verification system

Bernd Hopp berndjhopp at gmail.com
Thu Jun 2 10:46:25 CEST 2016 

Hi Ludo, rpfl brings a daemon that does most of the client side business
logic, so in that way it is more or less generic and distro-agnostic.
Plugins for the package managers need to be adapted for every system of
course, but what a plugin needs to do is just:

1: call the rpfl daemon to start a new verification process for the
packages that are being downloaded currently
2: report all finished downloads to the rpfl daemon, so it can compute
hashes of these local files
3: before actually installing the packages, ask the rpfl daemon if the
downloaded packages are legit

To implement that as a dnf plugin should not be too much code. Apt however
does not seem to bring a plugin-api so it would probably end in a fork in
that case.

Guix challenge looks interesting, however it seems to have a different
approach and it is hard wired to guix of course, but I'll have a look at
it.

best
Bernd





On Thu, Jun 2, 2016 at 10:17 AM, Ludovic Courtès <ludo at gnu.org> wrote:

> Hello,
>
> Bernd Hopp <berndjhopp at gmail.com> skribis:
>
> > I'm looking for developers and build experts to join my project for
> > distributed package verification rpfl (github
> > <https://github.com/berndhopp/rpfl>) and would like to ask you to give
> me a
> > hand at this. Goal of the project is to give package management systems
> the
> > opportunity to verify that a downloaded package corresponds to its
> publicly
> > available source code. To achieve this, a server will create hashes of
> the
> > packages that it had previously build from source and sign them via
> > ed25519; this signature is then be used by the client to check if the
> > downloaded package is the same as the package resulting from a build from
> > source.
>
> I think this is a worthy goal.  My feeling is that this cannot be
> achieved in a way that is completely independent of the distro and its
> package management tool, which I think is also what Holger is
> suggesting.
>
> Guix has ‘guix challenge’, which looks similar in spirit to what you
> describe, but it’s of course Guix-specific:
>
>
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-challenge.html
>
> Happy hacking!  :-)
>
> Ludo’.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160602/d732bce1/attachment.html>

More information about the rb-general mailing list