From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id D829221F1F7 for ; Fri, 13 Dec 2013 15:34:49 -0800 (PST) Received: by mail-ie0-f182.google.com with SMTP id as1so3846913iec.27 for ; Fri, 13 Dec 2013 15:34:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=2YxzDtQXOd0MAk+ra8iOdpBeuuoj2FvBC5saH4jKjPs=; b=qstwZcZuEYeWvuptZhQpVMjPrWElXEzHiCDqG1T8BQa85zBNKdFokTmth8CS0kmkku HaZ/mWTR0s9fnrWEPz6kZITl/xI8M5clguDJkNDmRANTbsUISfTShSt3qnf3VyoNvBTC TKHp+Tpk5vJc3nOv5+h+eEHb9ykYIme7hav6ZRiWtZnQAkD6LIcpXbX6wPO6YUZ89+HC U13FK9vrveB4cF/vO4/78ekLWozc0vMRUOT62YUjc55c/7VSWvwSfYMVVUvukuTnWNDe Jk1HS6Vdj1dKvAY7krgC369rNTLKlAuQu/4m7Idfm6mMQYJavvkIEiD78w3vQCajHLv+ OQWw== MIME-Version: 1.0 X-Received: by 10.50.225.39 with SMTP id rh7mr5088004igc.10.1386977689201; Fri, 13 Dec 2013 15:34:49 -0800 (PST) Received: by 10.64.145.67 with HTTP; Fri, 13 Dec 2013 15:34:49 -0800 (PST) Date: Fri, 13 Dec 2013 15:34:49 -0800 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] signed packages X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Dec 2013 23:34:50 -0000 so whilst we sort out what broke in the last couple builds (and please don't install them on anything you care about!) I'd wanted to mention something that has been in place for a while. Stephen walker did the original work ages ago, and the ohgf folk picked it up and tested it and helped get it into the openwrt mainline recently (Evan hunt, steven barth, others) Package signing has been a feature that has helped make the mainline linux distros much more secure and it much safer to do things like mirror package databases and yet avoid malign updates. Now, I'm not terribly clear on how it all works in openwrt, but it can be enabled at least, now, with adding the following lines to /etc/opkg.conf option check_signature 1 option signature_ca_file /etc/ssl/certs/opkg.pem root@CMTS:/# opkg update Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1= /packages/Packages.gz. Updated list of available packages in /var/opkg-lists/vancouver. Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1= /packages/Packages.sig. Signature check passed. Package signing does not save you from versioning errors, however. # opkg update Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6= /packages/Packages.gz. Updated list of available packages in /var/opkg-lists/vancouver. Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6= /packages/Packages.sig. Signature check passed. But it should make it more possible to be assured that the package you are adding or updating was indeed from the maintainer or vendor making the product. There is support for multiple signing keys and multiple repositories. Future versions of cero will be signed. --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html