On Tue, 23 Mar 2004, Dimitrie O. Paun wrote:
The rest is just a matter of agreeing what to put where and how to register new binaries.
[Sorry, I was just meaning this was perhaps drifting OT for wine-devel]
I thought Brian told you already how we're going to do this.
Yes I was told, but it could be made more secure without that much effort now that the .zip files are being signed ... but its detail that could be hammered out without wasting wine-devel bandwidth.
[...snip...]
-- store the MD5SUM key that you've computed into a sister file with the name winetest-<YYYYMMDDhhmm>.zip.cookie. It's URL will be: http://theserver/path/winetest-<YYYYMMDDhhmm>.zip.cookie
This is redundant with the (detached) signatures. But, just s/.cookie/.sig/ and it works the same.
BTW, we can't just store the md5sums on the web page as DNS poisoning would subvert the security. Using signed binaries means we're secure (I think ;) except for replay attacks and someone breaking into quisquiliae. The former is ameliorated by checking that the .ZIP file's creation date is reasonable, but the latter is an inherent risk.
Still to be decided:
[...snip...]
B. I guess that the GPG signature will do into the .zip file as an ASCII file. How do we name that? I would prefer something like 'winetest-<YYYYMMDDhhmm>.asc' or somesuch.
I'm currently signing the whole .zip file as a detached signature. Like with the md5sum .cookie idea, but called .sig. Anyone should be able to verify it with: gpg --verify winetest-<date>.zip.sig (with winetest-<date>.zip in cwd).
If it passes, you know (with some certainty) that it came from the auto-build machine.
C. You need to tell us _exactly_ what the 'http://theserver/path/' is going to be. We need to store that on the WineHQ end to protect against others doing nasty stuff with our distribution system. :)
By all means, but its redundant if the .ZIP file is signed.
[using signed binaries]
Sounds good. Having it signed is a good idea, and you can go ahead and implement it. It may take us a bit longer to actually check the signature, but that's a different matter.
Hmmm, probably about the same speed. AFAIK, gpg using md5sums internally (within signatures), so its the time taken to decrypt a md5sum in the signature, calculate the md5sum of the .ZIP file and compare the two.
Just as an aside, when do people in the US change their clocks? Everyone in the EU is changing to DLS-time (BST in the UK) this Sunday.
Does it matter? Is UTC dependant on the daylight savings time?
AFAIK, cron uses local time. If US jumps at a different time, there may be additional headaches :^/
---- Paul Millar