From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: [Cerowrt-devel] signed packages
Date: Fri, 13 Dec 2013 15:34:49 -0800 [thread overview]
Message-ID: <CAA93jw7KSPfc_bWwAtCcp8oZuesLXVAxB1DQvNoxxfaDuGK3OQ@mail.gmail.com> (raw)
so whilst we sort out what broke in the last couple builds (and please
don't install them on anything you care about!) I'd wanted to mention
something that has been in place for a while. Stephen walker did the
original work ages ago, and the ohgf folk picked it up and tested it
and helped get it into the openwrt mainline recently (Evan hunt,
steven barth, others)
Package signing has been a feature that has helped make the mainline
linux distros much more secure and it much safer to do things like
mirror package databases and yet avoid malign updates.
Now, I'm not terribly clear on how it all works in openwrt, but it can
be enabled at least, now, with adding the following lines to
/etc/opkg.conf
option check_signature 1
option signature_ca_file /etc/ssl/certs/opkg.pem
root@CMTS:/# opkg update
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/vancouver.
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.sig.
Signature check passed.
Package signing does not save you from versioning errors, however.
# opkg update
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/vancouver.
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.sig.
Signature check passed.
But it should make it more possible to be assured that the package you
are adding or updating was indeed from the maintainer or vendor making
the product. There is support for multiple signing keys and multiple
repositories.
Future versions of cero will be signed.
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
reply other threads:[~2013-12-13 23:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw7KSPfc_bWwAtCcp8oZuesLXVAxB1DQvNoxxfaDuGK3OQ@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox