Re: Making gpgme dependency optional

From: Colin Walters <walters verbum org>
To: ostree-list gnome org
Subject: Re: Making gpgme dependency optional
Date: Thu, 01 Jun 2017 15:30:43 -0400

On Thu, Jun 1, 2017, at 11:02 AM, Jussi Laako wrote:

On 01.06.2017 17:13, Colin Walters wrote:

Introducing ed25519 signatures has the advantage of
simplicity - and I love the small key sizes that one gets with ECC.  ed25519
is already used by Alpine and OpenBSD at least.


Yes, ed25519 is already used in many places like OpenBSD's signify, but 
it alone doesn't address the key management things so it is kind of 
partial solution needing a bit more implementation for the surrounding 
infra.


Right.  Though for *this* use case of signatures, as the OpenBSD signify "paper"[1]
talks about, there's already an implicit extra channel to "manage"/change
keys because it's a software update mechanism, and one can just include
the new keys in the software content itself.

(This is more for the ostree-as-host case; the ostree-for-containers i.e. flatpak
 is inherently different as the update system runs *outside* of the apps,
 and that drove the flatpak decision to have the keys live externally)

I am trying to avoid OpenSSL in combination with (L)GPL projects due to 
license incompatibility.


At least for Fedora:
https://lists.fedoraproject.org/archives/list/devel lists fedoraproject 
org/message/CWVLCRELXWLH3Q45ZZUCCHT3JQB6CF3J/
Direct link: https://fedoraproject.org/wiki/Licensing:FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F

I'll admit I don't fully understand how that exemption is created.  Does
one just need sufficient "stature" to declare it?  Some legal equivalent of
sitting in the captain's chair and saying "make it so"?

But actually, is there really a problem with OpenSSL and the *L*GPL (which
is what ostree is under?)

Key management in all contexts similar/same. For example Microsoft 
Authenticode code signing uses X.509 certificates. For simpler case one 
can use for example self-signed certificates. Only major difference to 
OpenPGP key signing is use of separate CA keys for key signing. Just 
more authoritarian structure.

PKCS#7 and related S/MIME use these certificates too. X.509 is pretty 
generic for any public key crypto with a model for key trust and management.


Basically I don't have a lot of experience with that.  On the other
hand use of GPG is pretty well understood in this domain - it's
used by a lot of the free OSes.

Are there any references for systems that use X.509 for software
updaters besides Authenticode?

But overall, I think we would be happy with ed25519 too. If it means 
more crypto specific code inside ostree it would just need more security 
review on our side though. Not necessarily any problem.


In the short term I'd definitely review patches to make GPG fully optional
if that's useful.  Possibly even help write them if it aided ostree adoption
in a new place.  But adding a new key scheme though I'd need to leave to someone
who wants to actively drive it.  I can't say that I can do that right now myself
for either ed25519 or X.509.

Follow-Ups:
- aside about OpenSSL + (L)GPL (was Re: Making gpgme dependency optional)
  - From: Robert McQueen

References:
- Making gpgme dependency optional
  - From: Jussi Laako
- Re: Making gpgme dependency optional
  - From: Colin Walters
- Re: Making gpgme dependency optional
  - From: Jussi Laako

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]