Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cache: compatibility with crypto plugins #2613

Open
mpranj opened this Issue Apr 9, 2019 · 2 comments

Comments

Projects
None yet
3 participants
@mpranj
Copy link
Member

mpranj commented Apr 9, 2019

One thing that came up during development of the cache plugin was the security implications for crypto plugins.

The current implementation of cache does not know about crypto plugins, and once decrypted will happily cache the data coming from there.

@petermax2 do you have any ideas concerning this?

The default approach could of course be to not store the cache, if something comes from a crypto plugin. We would need a way of detecting that though.

@mpranj mpranj added the question label Apr 9, 2019

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Apr 9, 2019

I think the easiest and most secure way would be to completely encrypt the cache with fcrypt. Unfortunately this is:

  • maybe even slower than not using the cache
  • not very user-friendly (gpg setup would be needed)

In the meantime I think we should simply give resolvers some config option to avoid caching in such situations.

@mpranj mpranj referenced this issue Apr 9, 2019

Open

Global Cache #2270

3 of 10 tasks complete
@petermax2

This comment has been minimized.

Copy link
Member

petermax2 commented Apr 14, 2019

@petermax2 do you have any ideas concerning this?

Besides not caching confidential content, no sorry. Maybe we can mark a key or a moint-point as confidential somehow and then avoid to cache it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.