Re: Storing collection ref (collection ID + ref) in the commit metadata

[Krzesimir Nowak <krzesimir kinvolk io>]

On Tue, Jun 20, 2017 at 5:33 PM, Krzesimir Nowak <krzesimir kinvolk io> wrote:
> Hi,
>
> I'm working on implementing storing of the collection ref in the
> commit metadata. The point of this work is that if we’re going to
> support inline signatures in summary files, the metadata in commits
> needs to point back to the refs, so that an attacker can’t change the
> checksums around between refs in a summary file.
>
> So in the beginning two questions came to my mind (and got some
> answers from Philip which I'm going to use here):
>
> 1. Where should we store the collection ref? In commit metadata or in
> detached metadata?
>
> Storing it in commit metadata means that the collection ref is signed
> as a part of the commit, so we can trust it from the start. But it
> also means that we need to specify the collection ref from the
> beginning and it can never change (that would change the commit's
> checksum) - that makes the --orphan flag a whole lot less useful. Also
> it is not fine when ostree refs have discontinuous history (ref
> pointed to commit 1, then later it points to commit 2 which is not a
> child of commit 1, so commit 1 is not a part of ref's history).
>
> Storing it in detached metadata means we need to sign it ourselves
> inline (the signature would be made based probably on a triplet of
> commit checksum, collection ref and a timestamp of modification). Also
> it may be possible that MITM can just strip it from detached metadata
> and pass it further, but I haven't thought too much on this attack (it
> would cause the client to discard the commit when pulling if it
> requires the collection ref to exist in metadata). Also, it could be
> possible to change detached metadata to update the collection ref if
> there is need (unless there is some assumption about detached metadata
> being immutable after creation?).
>
> 2. Where should the collection ref come from?
>
> Clearly, the API for writing metadata is either
> ostree_repo_write_commit or
> ostree_repo_write_commit_detached_metadata, depends on where we decide
> to store the information. I was just wondering where should we take
> the collection ref from? From parent commit? If there's none such (or
> it does not have the collection ref in metadata) then it would be from
> the repo's collection id and some given ref? Or we should simply add
> some flags to the "ostree commit" command that allow specifying the
> collection ref?

So I have a (strawman for now and untested) branch implementing
storing collection ref in detached metadata -
https://github.com/kinvolk/ostree/tree/krnowak/collection-ref-in-commit-metadata-T17610

I had some followup questions about the implementation:
1. Do we want to store not one collection ref, but many of them in the
commit metadata? I wasn't sure whether we should allow for many
collection refs there or rather for one collection id and many refs.
Philip argued for the former.
2. As a part of the metadata we store the timestamp, which tells when
this particular piece of metadata was modified. I guess that the only
useful check we can perform with it is to compare it with the
timestamp from the older detached metadata of the commit (if we had it
before). Anything else comes to your mind?
3. I wasn't sure if we want to bail out when the detached metadata is
invalid or just skip this commit. Bailing out is easier, so this is
what I went with for now.
4. If we set the collection ref for a commit, should we also set it
for all its parent commits too?

> --
> Kinvolk GmbH | Adalbertstr. 6a, 10999 Berlin
> Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
> Registergericht/Court of registration: Amtsgericht Charlottenburg
> Registernummer/Registration number: HRB 171414 B
> Ust-ID-Nummer/VAT ID number: DE302207000



-- 
Kinvolk GmbH | Adalbertstr. 6a, 10999 Berlin
Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000