#archlinux32 | Logs for 2023-06-20

Back
[00:18:19] -!- sunshavi has quit [Remote host closed the connection]
[00:57:31] -!- sunshavi has joined #archlinux32
[04:59:49] -!- n0tiz has quit [Quit: Bye]
[04:59:50] -!- n0tiz- has joined #archlinux32
[06:28:29] -!- lithiumpt has quit [Ping timeout: 240 seconds]
[06:29:04] -!- lithiumpt has joined #archlinux32
[07:13:13] -!- JerryXiao has quit [Quit: Bye]
[07:15:34] -!- JerryXiao has joined #archlinux32
[07:38:00] -!- sunshavi has quit [Ping timeout: 240 seconds]
[16:18:56] -!- drathir_tor has quit [Ping timeout: 240 seconds]
[16:26:25] -!- drathir_tor has joined #archlinux32
[16:48:12] -!- drathir_tor has quit [Remote host closed the connection]
[16:53:35] -!- drathir_tor has joined #archlinux32
[16:54:03] <KitsuWhooa> two of my builders seem stuck trying to download the source for pdnsd
[16:56:28] <KitsuWhooa> hedgedoc also seems stuck
[17:16:34] <KitsuWhooa> and now they're all stuck trying to acquire the lock :p
[18:20:12] -!- titus_livius has quit [Ping timeout: 240 seconds]
[18:21:22] -!- titus_livius has joined #archlinux32
[18:21:45] <bill-auger> IMHO, the default should be 'N'; but it's not - so now my build chroot has that key installed - can someone verify it ?
[18:22:30] <KitsuWhooa> Yes
[18:22:32] <KitsuWhooa> That is my key :p
[18:23:05] <bill-auger> it should be in the keyring? or no
[18:23:33] <KitsuWhooa> I mean, packages are signed with it
[18:23:42] <KitsuWhooa> if it's not in the keyring, then it's not trusted and packages can't be installed, no?
[18:23:44] <bill-auger> then it should be in the keyring
[18:24:27] <bill-auger> that is the problem - pacman default is to accept it 'Y' - if the user presses 'Y' it goes into the local keyring, so it can install the pakcages
[18:24:44] <KitsuWhooa> as far as I know, it's in archlinux32-keyring
[18:24:45] <bill-auger> but it should be in the keyring package - pacman should not ask to import it
[18:25:36] <bill-auger> you may want to look into that then - something is not quite right
[18:25:52] <KitsuWhooa> It worked for me when I updated my machine with it
[18:26:15] <KitsuWhooa> It complained about packages signed by me not being trusted, so I updated the package, and it started working
[18:26:20] <KitsuWhooa> it never asked me to import a key manually
[18:26:39] <bill-auger> not manually - it asks to press 'Y'
[18:27:01] <KitsuWhooa> you're still manually accepting it at that point
[18:27:08] <KitsuWhooa> did you update archlinux32-keyring first?
[18:27:13] <KitsuWhooa> if not, maybe that has something to do with it
[18:27:37] <bill-auger> if --noconfirm is passed, as in build chroots, it will simply accept the import
[18:28:10] <bill-auger> yes i installed the new keyring first, to try avoiding to import the key
[18:28:41] <KitsuWhooa> Yeah, I don't know then. Maybe abaumann or girls know what's up
[18:28:45] <bill-auger> i can try again in a VM - maybe it was just a quirk of our build system
[18:29:27] <bill-auger> ah i maybe know why - the build maybe using the host keyring
[19:12:08] -!- drathir_tor has quit [Ping timeout: 240 seconds]
[19:19:49] -!- drathir_tor has joined #archlinux32
[19:42:47] <girls> first: importing arbitrary keys into your pacman keyring is not dangerous (except for DoS'ing your keyring), it's "only" inconvenient, fragile and should be unnecessary
[19:44:00] <girls> last time, I checked, archbuild verified with the host keyring - that's why we have an archlinux32-keyring package in [releng]
[19:44:10] <girls> lemme check that one ...
[19:46:23] <girls> it looks alright
[20:05:34] <bill-auger> it is dangerous - if someone compromises the tier1 repo server, and drops in some malicious packages, pacman will ask users to import the key, then happily install the maicious package
[20:06:17] <bill-auger> it is _the_ very reason why there is a keyring package at all, blessed by a well-known distro key
[20:07:24] <bill-auger> s/tier1/tier0/
[20:09:33] <bill-auger> pacman only asks to import keys, which are _not_ blessed by the distro - users should be wary
[20:10:32] <bill-auger> i still have not checked my VM though - i could be raising a fuss about nothing
[20:17:08] <bill-auger> on second thought, i realized that it need not be the tier0 repo and it need not be compromised - any mirror operator could do it
[20:23:35] <bill-auger> i think that depends if pacman checks the signature of db files _and_ would never import a key that signed any db file - but the default "SigLevel = DatabaseOptional", does not check the db signatures, right?
[20:35:11] -!- bill-auger has quit [Remote host closed the connection]
[20:40:53] -!- bill-auger has joined #archlinux32
[20:49:27] <Foxboron> bill-auger: this isn't correct
[20:50:02] <bill-auger> plz explain if you like - i am not certain myself
[20:50:03] <Foxboron> A malicious mirror can drop in a package signed with a malicious key, pacman will try import it happily. However it is not signed by your local key
[20:50:18] <Foxboron> Until that malicious key is trusted by your local key, nothing happens
[20:50:49] <bill-auger> the malicious package is installed - that happens
[20:51:05] <Foxboron> Not at all, it will fail the validation check
[20:51:39] <bill-auger> ok so then why did pacman ask me to import the new key?
[20:51:58] <Foxboron> Because pacman is being user friendly. Importing does not imply anything else then just that, importing
[20:52:08] <Foxboron> the pacman keyring depends on transitive trust between the keys
[20:52:18] <bill-auger> presumably some package was in the upgrade set, and all packages did verify after imorting the key
[20:52:43] <Foxboron> Then you are importing a key you are already trusting
[20:53:09] <bill-auger> ok so the keys in the keyring trusted the imported key
[20:53:40] <Foxboron> If it's a subkey of a known key, sure. But then it's not a malicious key
[20:53:57] <bill-auger> it a new key from a new team member
[20:54:25] <Foxboron> Then you have transitive trust from a set of trusted keys, which your local key has attested trust towards
[20:54:34] <Foxboron> Again; not a malicious key
[20:55:00] <bill-auger> that trust could only be from a key in the arch32 keyring
[20:55:20] <Foxboron> Not from "a key", it is a key that the archlinux32-keyring has told you to trust
[20:55:24] <bill-auger> this is a clean build chroot - it only knows those keys
[20:56:38] <bill-auger> ok that sounds more reasonable; but it does demonstrate that the key pacman asked me to import can not be in the keyring, yes?
[20:57:16] <Foxboron> I can only give upstream Arch as an example as I cba to dig into how archlinux32 does their key setup
[20:57:16] <bill-auger> pacman would not have asked to import the key, if it was in in the keyring, right?
[20:57:31] <Foxboron> If the subkey is missing it would ask you to import the key
[20:57:33] <Foxboron> https://archlinux.org <-
[20:57:34] <phrik> Title: Arch Linux - Master Signing Keys (at archlinux.org)
[20:57:49] <bill-auger> it is not a subkey - it a new key from a new team member
[20:58:03] <Foxboron> the master key holders sign new keys. Your keyring is trusting those 5 keys and that gives transitive trust to the packager keys
[20:58:23] <Foxboron> if there is a new team member, or a new subkey has been added, pacman will prompt to import the key. If the key is trusted, package installation continioues
[20:58:36] <Foxboron> if it's a malicious key (not signed by any trusted keys in the keyring), the validation fails
[20:58:52] <bill-auger> that cant be true - doesnt arch have new team members?
[20:59:07] <bill-auger> pacman has never asked me to import a key for an arch dev
[20:59:18] <Foxboron> That is because it's archlinux32 and they resign everything.
[20:59:30] <Foxboron> I'm telling you how this works from the perspective of upstream Arch, not archlinux32
[21:00:06] <bill-auger> im not referring to an arch32 system - i am referring to THE upstream arch keyring
[21:00:23] <bill-auger> we import that directly - we do not re-sign it
[21:01:12] <bill-auger> the only time pacman asks to import a key for an arch dev, that was because i had not yet upgraded the new keyring
[21:01:13] <Foxboron> Does archlinux32 ship packages signed by Arch Linux packagers?
[21:02:07] <bill-auger> i dont think so
[21:02:37] <Foxboron> Then our packager keys does not matter for archlinux32. I'm just giving the trust hierarchy as an example
[21:03:40] <bill-auger> i was not referring to an arch32 system - parabola uses the arch keyring and distributes some packages signed by arch devs
[21:04:10] <Foxboron> ¯\_(ツ)_/¯
[21:04:23] <bill-auger> using parabola, the only time pacman asks to import a key for an arch dev, is because i had not yet upgraded the new keyring
[21:04:24] <Foxboron> Then you are trusting master keys from Arch and the import stuff works as expected. I don't understand the confusion
[21:05:26] <bill-auger> that is usually a sign that i need to upgrade the new keyring - when i do that without importing the new key, it does not ask to import any keys
[21:06:12] <bill-auger> that is why i assume that pacman would not ask to import a key, if it was in in the keyring
[21:06:48] <Foxboron> Unless there are new subkeys, sure
[21:07:18] <bill-auger> ok, so i think that the new arch32 team member's key is not in the keyring
[21:07:53] <Foxboron> ¯\_(ツ)_/¯
[21:07:56] <bill-auger> unless it was in the previous keyring, but now that dev is using a new subkey
[21:08:18] <Foxboron> I was only adressing the misconception that somehow making a malicious key and distributing a new signature would magically make pacman trust this
[21:08:39] <bill-auger> ok yea - thats good to know, thanks
[21:10:18] <bill-auger> is that the deal KitsuWhooa? - was your key already in the keyring before the current one 20230609 ? - and you have started signing with a new sub-key?
[21:10:43] <KitsuWhooa> it was not
[21:10:51] <KitsuWhooa> it is a fresh key
[21:11:02] <bill-auger> or maybe they added the master key to the keyring but not the subkey
[21:11:23] <KitsuWhooa> I don't have a master key
[21:11:26] <bill-auger> i just think it should not have asked to import it - there must be a way to avoid that
[21:11:28] <KitsuWhooa> https://buildmaster.archlinux32.org
[21:50:07] -!- sunshavi has joined #archlinux32