Signer really needs to run on the server?

[adrelanos]

Some time ago on the mailing list you told me, that the singer needs to run on the server. This is a limitation, since http hosting is cheaper (sourceforge) than shell hosting.

So wouldn't it be possible to run the singer locally and then just upload with rsync?

This is probably just a ticket for documentation.

[JustinCappos]

I may be a little confused about what you are referring to.

For the main repository data:
Different parties sign different things. We need to keep a few keys on
the repo to assert timeliness of data. These need to be located there and
will sign metadata locally. If this isn't done, then could use something
like HTTPS to give similar (but weaker) guarantees.

For an individual developer:
Of course, developers will themselves have keys they use to sign their
packages. Those will never be added to the server. So in this case the
developer can do exactly as you suggest and simply upload the packages and
signed metadata.

Thanks,
Justin

[trishankkarthik]

@adrelanos : No, I do not think that the new signer tools, at least, have to run on the server. My colleague @Vladdd is currently working on making them even better: the signer tools will be broken down into completely stand-alone, individual pieces so that each role can its job without requiring any other role to be physically present on the same machine.

[trishankkarthik]

I should mention that @Vladdd has written tools to push metadata from your machine to a remote one via scp.

[JustinCappos]

I think I understand the confusion now. Essentially,
@adrelanoshttps://github.com/adrelanos is
asking if a developer can add their packages to a public website without
providing timestamp, release, etc. metadata and have TUF use these? If
so, what guarantees does TUF provide and how does it do so?

Is this what you're asking?

Thanks,
Justin

On Tue, Jul 30, 2013 at 9:36 AM, Trishank Karthik Kuppusamy <
notifications@github.com> wrote:

I should mention that @Vladdd https://github.com/vladdd has written tools
to push metadata from your machine to a remote one via scphttps://github.com/theupdateframework/tuf/tree/master/tuf/pushtools
.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/78#issuecomment-21790932
.

[adrelanos]

Maybe. Let me try to explain with an example.

For example I am hosting an APT repository on sourceforge.net. I am not
allowed to use cron there. The tool for repository creation (reprepro)
runs on my local machine. I create and sign the repository on my local
machine, then upload to sourceforge.

When the valid-until field is about to expire, I resign the repository
on my local machine again and upload the repository again.

Cons:

• less convenient

Pro:

• no software required on the server
• no signing keys required on the server

I was wondering, if I could similarly use TUF.

[JustinCappos]

Yes, this should work for TUF without issue.

The only thing that may be complicated is how TUF handles multiple repos
(which will be a requirement eventually anyways).

Justin

On Tue, Jul 30, 2013 at 11:30 AM, adrelanos notifications@github.comwrote:

Maybe. Let me try to explain with an example.

For example I am hosting an APT repository on sourceforge.net. I am not
allowed to use cron there. The tool for repository creation (reprepro)
runs on my local machine. I create and sign the repository on my local
machine, then upload to sourceforge.

When the valid-until field is about to expire, I resign the repository
on my local machine again and upload the repository again.

Cons:

• less convenient

Pro:

• no software required on the server
• no signing keys required on the server

I was wondering, if I could similarly use TUF.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/78#issuecomment-21799297
.

[trishankkarthik]

@adrelanos : Let us know we have answered your questions. Otherwise we will consider the issue closed.

[adrelanos]

Answered. Thank you!

[trishankkarthik]

You're welcome!