Re: Making gpgme dependency optional
- From: Colin Walters <walters verbum org>
- To: ostree-list gnome org
- Subject: Re: Making gpgme dependency optional
- Date: Thu, 01 Jun 2017 15:30:43 -0400
On Thu, Jun 1, 2017, at 11:02 AM, Jussi Laako wrote:
On 01.06.2017 17:13, Colin Walters wrote:
Introducing ed25519 signatures has the advantage of
simplicity - and I love the small key sizes that one gets with ECC. ed25519
is already used by Alpine and OpenBSD at least.
Yes, ed25519 is already used in many places like OpenBSD's signify, but
it alone doesn't address the key management things so it is kind of
partial solution needing a bit more implementation for the surrounding
infra.
Right. Though for *this* use case of signatures, as the OpenBSD signify "paper"[1]
talks about, there's already an implicit extra channel to "manage"/change
keys because it's a software update mechanism, and one can just include
the new keys in the software content itself.
(This is more for the ostree-as-host case; the ostree-for-containers i.e. flatpak
is inherently different as the update system runs *outside* of the apps,
and that drove the flatpak decision to have the keys live externally)
I am trying to avoid OpenSSL in combination with (L)GPL projects due to
license incompatibility.
At least for Fedora:
https://lists.fedoraproject.org/archives/list/devel lists fedoraproject
org/message/CWVLCRELXWLH3Q45ZZUCCHT3JQB6CF3J/
Direct link: https://fedoraproject.org/wiki/Licensing:FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F
I'll admit I don't fully understand how that exemption is created. Does
one just need sufficient "stature" to declare it? Some legal equivalent of
sitting in the captain's chair and saying "make it so"?
But actually, is there really a problem with OpenSSL and the *L*GPL (which
is what ostree is under?)
Key management in all contexts similar/same. For example Microsoft
Authenticode code signing uses X.509 certificates. For simpler case one
can use for example self-signed certificates. Only major difference to
OpenPGP key signing is use of separate CA keys for key signing. Just
more authoritarian structure.
PKCS#7 and related S/MIME use these certificates too. X.509 is pretty
generic for any public key crypto with a model for key trust and management.
Basically I don't have a lot of experience with that. On the other
hand use of GPG is pretty well understood in this domain - it's
used by a lot of the free OSes.
Are there any references for systems that use X.509 for software
updaters besides Authenticode?
But overall, I think we would be happy with ed25519 too. If it means
more crypto specific code inside ostree it would just need more security
review on our side though. Not necessarily any problem.
In the short term I'd definitely review patches to make GPG fully optional
if that's useful. Possibly even help write them if it aided ostree adoption
in a new place. But adding a new key scheme though I'd need to leave to someone
who wants to actively drive it. I can't say that I can do that right now myself
for either ed25519 or X.509.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]