Storing collection ref (collection ID + ref) in the commit metadata

[Krzesimir Nowak <krzesimir kinvolk io>]

Hi,

I'm working on implementing storing of the collection ref in the
commit metadata. The point of this work is that if we’re going to
support inline signatures in summary files, the metadata in commits
needs to point back to the refs, so that an attacker can’t change the
checksums around between refs in a summary file.

So in the beginning two questions came to my mind (and got some
answers from Philip which I'm going to use here):

1. Where should we store the collection ref? In commit metadata or in
detached metadata?

Storing it in commit metadata means that the collection ref is signed
as a part of the commit, so we can trust it from the start. But it
also means that we need to specify the collection ref from the
beginning and it can never change (that would change the commit's
checksum) - that makes the --orphan flag a whole lot less useful. Also
it is not fine when ostree refs have discontinuous history (ref
pointed to commit 1, then later it points to commit 2 which is not a
child of commit 1, so commit 1 is not a part of ref's history).

Storing it in detached metadata means we need to sign it ourselves
inline (the signature would be made based probably on a triplet of
commit checksum, collection ref and a timestamp of modification). Also
it may be possible that MITM can just strip it from detached metadata
and pass it further, but I haven't thought too much on this attack (it
would cause the client to discard the commit when pulling if it
requires the collection ref to exist in metadata). Also, it could be
possible to change detached metadata to update the collection ref if
there is need (unless there is some assumption about detached metadata
being immutable after creation?).

2. Where should the collection ref come from?

Clearly, the API for writing metadata is either
ostree_repo_write_commit or
ostree_repo_write_commit_detached_metadata, depends on where we decide
to store the information. I was just wondering where should we take
the collection ref from? From parent commit? If there's none such (or
it does not have the collection ref in metadata) then it would be from
the repo's collection id and some given ref? Or we should simply add
some flags to the "ostree commit" command that allow specifying the
collection ref?

-- 
Kinvolk GmbH | Adalbertstr. 6a, 10999 Berlin
Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000