Meeting minutes from Env-and-Stacks WG meeting (2014-04-01)

Toshio Kuratomi a.badger at gmail.com
Thu Apr 3 01:46:08 UTC 2014 

On Tue, Apr 1, 2014 at 6:39 AM, Marcela Mašláňová <mmaslano at redhat.com> wrote:
>
> * Open Questions - Playground: Signing  (mmaslano, 12:04:12)
>
I saw that this got voted on in the meeting even though it didn't get
recorded as such for the meeting minutes.  The proposal seemed to be:
use obs-sign to sign packages.  That's not actually a proposal that we
can approve here.  The proposal here should probably be: "is signing
of packages a blocker for making the playground repo, nice to have, or
optional?"

In terms of how to get the packages signed, that's something that the
infrastructure team has to decide.  IIRC past conversations correctly,
adding another signing server (meaning a different code base) to
infrastructure is at the bottom of their list of ways to sign packages
in copr (and by extension in the playground repo).

When I saw the vote in the meeting logs I mentioned it to nirik.  In
turn he told me that he hadn't heard anything about this and had only
glanced briefly at obs-sign (mentioning that it wasn't even packaged
for Fedora yet).  As I related to tjanez on IRC today, I think lack of
packaging probably slows down infra's ability to deploy it but is only
a foottnote to the real problems.  Compromising signing servers and
gaining access to the private keys on them is a very high value target
for an attacker.  The more signing servers we have the greater the
attack surface infrastructure has to protect.  probably in the ideal
scenario infra would run a single signing server and everything
needing signing would be sent to that.  (Jesse Kating had that use in
mind when he designed sigul but I don't know if that design goal
actually became part of the software that we are currently running).
A step down from there might be running multiple instances of the same
signing software to handle the various needs as infra would then have
to protect the keys on these multiple hosts.  At the bottom of the
list is running separate signing software as that places the
additional burden of auditing and protecting the software stack of the
multiple signing servers.

For whoever is going to approach infra about signing the packages in
copr it probably makes more sense to either talk about enhancing sigul
to work with copr or getting obs-sign to be able to sign packages from
koji.  We'd probably also want to ask bressers or someone else from
the security team to do some sort of evaluation of the code bases that
we're looking at.

-Toshio

More information about the devel mailing list