New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a method for cryptographic verification of source code #9740
Comments
Wouldn't it be possible to add the |
Harlan, how do some of the packages for our dependencies like https://salsa.debian.org/python-team/packages/python-cryptography handle this? Do they use the signed tags from GitHub and if so would you be able to do the same for us? If so, assuming that'd require you switch to pulling the source code from GitHub instead of PyPI, josepy should be easy, but this repo would require essentially downloading all the files in this monorepo and then Is that feasible and how hard is it to do? If that's the route we take, we may be able to help you with the transition. |
python-cryptography also used to use GPG signatures; right now, I believe Sandro simply chose to do nothing and trust in TLS to secure the connection. That's certainly an option, especially if there was a semi-out-of-band method for me to check hashes or something. We could also look at switching to github releases. I've been hesitant to do that for a while now, mostly because of the absolute pain in the ass it was to try and get it to work when I last tried. Admittedly though, that was back in 2015, and python packaging has come a ways since then. I could try playing around with it again, if that's the direction you'd like to see it move in. It would mean re-creating a 1:1 link between the versions of all the different plugins again, which I know is something else that y'all have wanted. Let me try and mess around a bit with the packaging and see how much suffering it would be to get pybuild to support building the monorepo. |
There were some issues with the stability of source archives in the past, so if you want to use GitHub releases, it would probably be better to generate a source archive as an artifact from CI. Reading further, you can also download a tarball of a specific commit. |
Indeed we could leverage the CI capacities and Github releases. My preference would go to improve the release pipeline to create a signed Github release, publish the sdists of each package as assets of this release + a txt file containing the checksums of each sdist. (NB: the signed windows installer is already published with this approach) |
I certainly haven't forgotten about this, but I've been busy with other stuff. I'll write a much more thoughtful response soon but I wanted to give a quick update here to let you all know that this was still on my radar. |
After thinking about this a bit, some options I've considered are:
Harlan, I'd love to hear which of these options you prefer or if you have different ideas once you get a chance to play around with things and give it a think. I don't really have a good sense for what Debian policies/tooling makes easy or difficult here. |
Hi Brad,
In order of least work to most, it's probably 3, 4, 1, 2. There's some
tooling already for signed SHA256sums files that I could leverage, as well
as tools for signed sdist's.
I definitely acknowledge that the juice may not be worth the squeeze here.
Theoretically, Debian developers are supposed to be reviewing the changes
on package updates manually, which could theoretically make it more
difficult for someone to slip malware in, but... that's a very shallow form
of security. For me, the biggest advantage comes from the users having to
trust _me_ less. Between reproducible builds, source-only uploads, and the
signature chain, the only way for me to influence certbot would be changes
to the debian packaging itself -- which is far, far harder to hide
something in than the source code. Certainly not impossible, but more
difficult.
Which of these would be the least suffering for y'all?
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
|
What's easier for you about 3 than 4? Is it the inclusion of the sdists in the GitHub release? On reread, I'm also not exactly sure what Adrien had in mind in 3 about signing. Would we continue to sign each sdist, the checksum file, and/or something else entirely? I'm not aware of a way to sign a GitHub release in its entirety including additional assets added after the fact like the sdists. What signature(s) would work best for you Harlan? 1 is the least suffering technically, but it's probably the most painful ethically, socially, spiritually, etc. 🙃 I imagine we can come up with something like 3 or 4 that everyone is more or less happy with. |
To clarify my 3, what I have in mind is something like this: https://github.com/traefik/traefik/releases So a signed GitHub release, with an additional asset taking the form a This is basically 4 + the released PyPI sdists/wheels in GitHub directly. On that matter, from a packaging perspective, I think it becomes more interesting to keep using a single source, and so drop PyPI entirely in favor of GitHub releases to fetch the sdists. You get as a bonus to being able to check the release you pull (it is also signed) during the packaging process itself. |
Thanks for clarifying. Would we also have something like |
Yes you are right and I took Traefik just as an example. The point is to rely on operations on the CI and publish additional assets on the GitHub release. From there we follow the most suitable approach for a OS packaging, which is most likely what is described in https://wiki.debian.org/Creating%20signed%20GitHub%20releases. Please note that the natural way with So at the end, we would get a signed GitHub release, with an sdist (+ wheels ?) asset + an asc file for each asset. |
I wasn't trying to score debate points or something by nitpicking the traefik example. Sorry if it came across that way. I was just trying to understand what you were thinking about how signing could/should work for us. I think I prefer the single signed checksum file approach to reduce the number of assets. It's an approach used by Debian themselves and Harlan says there's already some tooling he can leverage for it. I also think we should skip uploading wheels as GitHub assets for now for the same reason, but we can change either or both of these things if the need arises. If anyone has a problem with this plan, especially Harlan (since this is mainly being done for his needs as the Debian package maintainer), please let me know! I doubt we'll have this for our next release (which I suspect isn't a huge deal as I think we'll have time for more releases before the next Debian or Ubuntu packaging freeze), but I do think that we should prioritize this work soon and I will make sure that happens. |
Ubuntu 24.04 freeze is scheduled for February 29th[1]. If we want a version newer than 2.1.0 frozen in Ubuntu 24.04 for the next 5+ years, we should try to resolve this well before then so Harlan has time to update tooling on his end and do a Debian release. |
I'd definitely like to get this done sooner than later, @bmw. Just got a ping on a downstream bug asking for an update, actually. If we need to get to a better version soon, we could work something out as a one-off. I'd be happy to accept a GPG signed email with a verification of the hashes from you or another one of the devs, lacking a permanent solution. |
@hlieberman here's a tarball of the release signatures for each package Edit:
|
starting with our next release, all source code tarballs will be included in our github release along with a SHA256SUMS and SHA256SUMS.asc file using our same signing keys. please let us know if you have any trouble with this harlan |
Seems perfect to me! I'll open a Debian bug to move the watch files for
everything over.
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
|
With the demise of PGP signatures on PyPi, there is no longer an easy way to verify the upstream source prior to pulling it into Debian.
I'd like to figure out some solution to deal with this, even if it's some hacky method of having someone send me a signed email with a hash of the code.
The text was updated successfully, but these errors were encountered: