Meeting minutes from Env-and-Stacks WG meeting (2014-04-01)
mmaslano at redhat.com
Thu Apr 3 13:18:48 UTC 2014
On 04/03/2014 02:29 PM, Miroslav Suchý wrote:
> On 04/03/2014 03:46 AM, Toshio Kuratomi wrote:
>> I saw that this got voted on in the meeting even though it didn't get
>> recorded as such for the meeting minutes. The proposal seemed to be:
>> use obs-sign to sign packages. That's not actually a proposal that we
>> can approve here. The proposal here should probably be: "is signing
>> of packages a blocker for making the playground repo, nice to have, or
>> In terms of how to get the packages signed, that's something that the
>> infrastructure team has to decide. IIRC past conversations correctly,
>> adding another signing server (meaning a different code base) to
>> infrastructure is at the bottom of their list of ways to sign packages
>> in copr (and by extension in the playground repo).
>> When I saw the vote in the meeting logs I mentioned it to nirik. In
>> turn he told me that he hadn't heard anything about this and had only
>> glanced briefly at obs-sign (mentioning that it wasn't even packaged
>> for Fedora yet). As I related to tjanez on IRC today, I think lack of
>> packaging probably slows down infra's ability to deploy it but is only
>> a foottnote to the real problems. Compromising signing servers and
>> gaining access to the private keys on them is a very high value target
>> for an attacker. The more signing servers we have the greater the
>> attack surface infrastructure has to protect. probably in the ideal
>> scenario infra would run a single signing server and everything
>> needing signing would be sent to that. (Jesse Kating had that use in
>> mind when he designed sigul but I don't know if that design goal
>> actually became part of the software that we are currently running).
>> A step down from there might be running multiple instances of the same
>> signing software to handle the various needs as infra would then have
>> to protect the keys on these multiple hosts. At the bottom of the
>> list is running separate signing software as that places the
>> additional burden of auditing and protecting the software stack of the
>> multiple signing servers.
>> For whoever is going to approach infra about signing the packages in
>> copr it probably makes more sense to either talk about enhancing sigul
>> to work with copr or getting obs-sign to be able to sign packages from
>> koji. We'd probably also want to ask bressers or someone else from
>> the security team to do some sort of evaluation of the code bases that
>> we're looking at.
> That would be probably me. I mean the guy who will be implementing
> signing of packages in Copr.
> I investigated several possibilities and talked to several people. But
> you are correct that I did not send conclusion to mailing list yet.
> Maybe it is right time to do it now.
> One of the guy to who I talked to is Miroslav Trmac, who is current
> maintainer and main author of Sigul since 2009.
> The conclusion from discussion with him is that:
> * we would need need different instance, because to use the same
> instance for main distribution and for relaxed ring (Copr,
> Playground...) is not best idea. Neither from security POV nor for
> technical implementation. (*)
> * we would need to do some development of Sigul before deploying new
> * and we would likely should migrate to gpg2 (from gpg1)
> * Sigul have very restricted network setup, which is probably not needed
> for Copr
> On the other hand obs-sign:
> * is actively maintained
> * is more simple
> * used in OBS as well (which mean community and so on)
> * have security model and network setup good enough for Copr (I arranged
> meeting of Adrian Shröter from OBS and Mirek Trmač during DevConf.cz
> where they discussed technical details and none of them seen any blocker).
> Yes, obs-sign is not packaged for Fedora (yet), but the spec exists and
> I can get it in Fedora withing week. I do not see that as problem.
> If I sum it up, then obs-sign is clear winner to me. Therefore this is
> the way I would like to go in Copr.
> But it still does not bubble up in my TODO list. So we have plenty of
> time for discussion :)
> (*) You suggested that having one signing server is better as "The more
> signing servers we have the greater the
> > attack surface infrastructure has to protect." I disagree.
> First: it is not technical possible. Because Koji and current Sigul is
> in different networks and I'm not sure if we want to change it. Likely not.
> Second: if you compromise Copr signing server then you have compromised
> main distribution. Therefore even from security POV is better to have
> different signing server for main distribution and for Copr.
The summary of Mirek's notes was for a long time in Open Questions
section . I removed it yesterday, because it was voted for obs-signd.
Mirek is member of infra, so I leave the discussion up to him.
More information about the devel