Meeting minutes from Env-and-Stacks WG meeting (2014-04-01)

Thu Apr 3 13:18:48 UTC 2014

On 04/03/2014 02:29 PM, Miroslav Suchý wrote:
> On 04/03/2014 03:46 AM, Toshio Kuratomi wrote:
>> I saw that this got voted on in the meeting even though it didn't get
>> recorded as such for the meeting minutes.  The proposal seemed to be:
>> use obs-sign to sign packages.  That's not actually a proposal that we
>> can approve here.  The proposal here should probably be: "is signing
>> of packages a blocker for making the playground repo, nice to have, or
>> optional?"
>>
>> In terms of how to get the packages signed, that's something that the
>> infrastructure team has to decide.  IIRC past conversations correctly,
>> adding another signing server (meaning a different code base) to
>> infrastructure is at the bottom of their list of ways to sign packages
>> in copr (and by extension in the playground repo).
>>
>> When I saw the vote in the meeting logs I mentioned it to nirik.  In
>> turn he told me that he hadn't heard anything about this and had only
>> glanced briefly at obs-sign (mentioning that it wasn't even packaged
>> for Fedora yet).  As I related to tjanez on IRC today, I think lack of
>> packaging probably slows down infra's ability to deploy it but is only
>> a foottnote to the real problems.  Compromising signing servers and
>> gaining access to the private keys on them is a very high value target
>> for an attacker.  The more signing servers we have the greater the
>> attack surface infrastructure has to protect.  probably in the ideal
>> scenario infra would run a single signing server and everything
>> needing signing would be sent to that.  (Jesse Kating had that use in
>> mind when he designed sigul but I don't know if that design goal
>> actually became part of the software that we are currently running).
>> A step down from there might be running multiple instances of the same
>> signing software to handle the various needs as infra would then have
>> to protect the keys on these multiple hosts.  At the bottom of the
>> list is running separate signing software as that places the
>> additional burden of auditing and protecting the software stack of the
>> multiple signing servers.
>>
>> For whoever is going to approach infra about signing the packages in
>> copr it probably makes more sense to either talk about enhancing sigul
>> to work with copr or getting obs-sign to be able to sign packages from
>> koji.  We'd probably also want to ask bressers or someone else from
>> the security team to do some sort of evaluation of the code bases that
>> we're looking at.
>
> That would be probably me. I mean the guy who will be implementing
> signing of packages in Copr.
>
> I investigated several possibilities and talked to several people. But
> you are correct that I did not send conclusion to mailing list yet.
> Maybe it is right time to do it now.
>
> One of the guy to who I talked to is Miroslav Trmac, who is current
> maintainer and main author of Sigul since 2009.
> The conclusion from discussion with him is that:
> * we would need need different instance, because to use the same
> instance for main distribution and for relaxed ring (Copr,
> Playground...) is not best idea. Neither from security POV nor for
> technical implementation. (*)
> * we would need to do some development of Sigul before deploying new
> instance
> * and we would likely should migrate to gpg2 (from gpg1)
> * Sigul have very restricted network setup, which is probably not needed
> for Copr
>
> On the other hand obs-sign:
> * is actively maintained
> * is more simple
> * used in OBS as well (which mean community and so on)
> * have security model and network setup good enough for Copr (I arranged
> meeting of Adrian Shröter from OBS and Mirek Trmač during DevConf.cz
> where they discussed technical details and none of them seen any blocker).
>
> Yes, obs-sign is not packaged for Fedora (yet), but the spec exists and
> I can get it in Fedora withing week. I do not see that as problem.
>
> If I sum it up, then obs-sign is clear winner to me. Therefore this is
> the way I would like to go in Copr.
>
> But it still does not bubble up in my TODO list. So we have plenty of
> time for discussion :)
>
>
> (*) You suggested that having one signing server is better as "The more
> signing servers we have the greater the
>  > attack surface infrastructure has to protect." I disagree.
> First: it is not technical possible. Because Koji and current Sigul is
> in different networks and I'm not sure if we want to change it. Likely not.
> Second: if you compromise Copr signing server then you have compromised
> main distribution. Therefore even from security POV is better to have
> different signing server for main distribution and for Copr.
>
The summary of Mirek's notes was for a long time in Open Questions 
section [1]. I removed it yesterday, because it was voted for obs-signd. 
Mirek is member of infra, so I leave the discussion up to him.

[1] 
https://fedoraproject.org/wiki/Env_and_Stacks/Playground_repository_%28draft%29#Open_Questions

Marcela