Re: Making gpgme dependency optional

From: Colin Walters <walters verbum org>
To: ostree-list gnome org
Subject: Re: Making gpgme dependency optional
Date: Thu, 01 Jun 2017 10:13:18 -0400

On Thu, Jun 1, 2017, at 09:29 AM, Jussi Laako wrote:

Hi,

We would be interested to hear if there are any change plans regarding 
gpgme dependency? At the moment gpgme pulls in GPLv3 software and also 
causes some performance issues when used with bigger distribution builds.


See https://github.com/ostreedev/ostree/commit/187e8d632ec5cded532fe652fdcdd91d2e95ae31

I'm fine making it optional again...it probably wouldn't be *too* hard
but a few things:

To approach these challenges, I've been thinking about adding 
alternative, build time configure option to support PKCS#7 signatures 
and X.509 keys. This could be implemented using GnuTLS library which has 
support for both PKCS#7 and of course X.509 keys/PKCS#12 (certificates).


Hm, well I'd been thinking of using ed25519; see:
https://github.com/ostreedev/ostree/commit/df5cbc9be9bb25c6eaeff12db9727d1ba28118a1

So if we started using GnuTLS directly that'd bring us back to two crypto
libraries (well, depending on what your libcurl is linked against - in Fedora
at least it's OpenSSL now).

Now on ed25519 vs X.509...this quickly links into the other discussion on
the list that Phillip started around repository identity and GPG keys.  That's
going to link even more to GPG.

And (to repeat again) I've been pushing for using "CA-pinned TLS" for metadata.
Which isn't the same thing as signing, but all of that code is already written
in libcurl/libsoup.  Introducing ed25519 signatures has the advantage of
simplicity - and I love the small key sizes that one gets with ECC.  ed25519
is already used by Alpine and OpenBSD at least.

I am personally not as familiar with using X.509 outside of a TLS context
and what that would involve.

GnuTLS has also some amount of support for OpenPGP keys in addition to 
PKCS#11 and TPM keys. So this could allow also some expansion towards 
other key types, which I need to study more.


The GnuTLS support for TPM chips is definitely cool.

Before starting to work on the code, I would like to hear your opinion 
and feedback on these thoughts and whether such could be acceptable for 
inclusion in ostree?


Definitely - but let's have some design discussions here first.  Is your
primary goal dropping the GPLv3 dependency, or is it using X.509 because
your organization has tooling/keys in that form instead of GPG?

Follow-Ups:
- Re: Making gpgme dependency optional
  - From: Jussi Laako

References:
- Making gpgme dependency optional
  - From: Jussi Laako

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]