Meeting minutes from Env-and-Stacks WG meeting (2014-04-01)

Miroslav Suchý msuchy at redhat.com
Thu Apr 3 12:29:16 UTC 2014 

On 04/03/2014 03:46 AM, Toshio Kuratomi wrote:
> I saw that this got voted on in the meeting even though it didn't get
> recorded as such for the meeting minutes.  The proposal seemed to be:
> use obs-sign to sign packages.  That's not actually a proposal that we
> can approve here.  The proposal here should probably be: "is signing
> of packages a blocker for making the playground repo, nice to have, or
> optional?"
>
> In terms of how to get the packages signed, that's something that the
> infrastructure team has to decide.  IIRC past conversations correctly,
> adding another signing server (meaning a different code base) to
> infrastructure is at the bottom of their list of ways to sign packages
> in copr (and by extension in the playground repo).
>
> When I saw the vote in the meeting logs I mentioned it to nirik.  In
> turn he told me that he hadn't heard anything about this and had only
> glanced briefly at obs-sign (mentioning that it wasn't even packaged
> for Fedora yet).  As I related to tjanez on IRC today, I think lack of
> packaging probably slows down infra's ability to deploy it but is only
> a foottnote to the real problems.  Compromising signing servers and
> gaining access to the private keys on them is a very high value target
> for an attacker.  The more signing servers we have the greater the
> attack surface infrastructure has to protect.  probably in the ideal
> scenario infra would run a single signing server and everything
> needing signing would be sent to that.  (Jesse Kating had that use in
> mind when he designed sigul but I don't know if that design goal
> actually became part of the software that we are currently running).
> A step down from there might be running multiple instances of the same
> signing software to handle the various needs as infra would then have
> to protect the keys on these multiple hosts.  At the bottom of the
> list is running separate signing software as that places the
> additional burden of auditing and protecting the software stack of the
> multiple signing servers.
>
> For whoever is going to approach infra about signing the packages in
> copr it probably makes more sense to either talk about enhancing sigul
> to work with copr or getting obs-sign to be able to sign packages from
> koji.  We'd probably also want to ask bressers or someone else from
> the security team to do some sort of evaluation of the code bases that
> we're looking at.

That would be probably me. I mean the guy who will be implementing signing of packages in Copr.

I investigated several possibilities and talked to several people. But you are correct that I did not send conclusion to 
mailing list yet. Maybe it is right time to do it now.

One of the guy to who I talked to is Miroslav Trmac, who is current maintainer and main author of Sigul since 2009.
The conclusion from discussion with him is that:
* we would need need different instance, because to use the same instance for main distribution and for relaxed ring 
(Copr, Playground...) is not best idea. Neither from security POV nor for technical implementation. (*)
* we would need to do some development of Sigul before deploying new instance
* and we would likely should migrate to gpg2 (from gpg1)
* Sigul have very restricted network setup, which is probably not needed for Copr

On the other hand obs-sign:
* is actively maintained
* is more simple
* used in OBS as well (which mean community and so on)
* have security model and network setup good enough for Copr (I arranged meeting of Adrian Shröter from OBS and Mirek 
Trmač during DevConf.cz where they discussed technical details and none of them seen any blocker).

Yes, obs-sign is not packaged for Fedora (yet), but the spec exists and I can get it in Fedora withing week. I do not 
see that as problem.

If I sum it up, then obs-sign is clear winner to me. Therefore this is the way I would like to go in Copr.

But it still does not bubble up in my TODO list. So we have plenty of time for discussion :)


(*) You suggested that having one signing server is better as "The more signing servers we have the greater the
 > attack surface infrastructure has to protect." I disagree.
First: it is not technical possible. Because Koji and current Sigul is in different networks and I'm not sure if we want 
to change it. Likely not.
Second: if you compromise Copr signing server then you have compromised main distribution. Therefore even from security 
POV is better to have different signing server for main distribution and for Copr.

-- 
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys

More information about the devel mailing list