Packaging third-party applications (Was: Meta Toolchain Release (2008 May))

Andy Green andy at openmoko.com
Fri May 30 11:33:31 CEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Somebody in the thread at some point said:
| Pranav Desai wrote:
|> On Wed, May 28, 2008 at 5:49 PM, Rod Whitby <rod at whitby.id.au
|> <mailto:rod at whitby.id.au>> wrote:
|>     The usual way is to add the package to OpenEmbedded, and then add
|>     it's name to the task-openmoko-feed.bb
|>     <http://task-openmoko-feed.bb> recipe so that it automatically gets
|>     built, packaged and deployed to the official download site.
|>
|> But wouldn't that mean writing a recipe for all packages that we want
|> to add?
|
| That is correct.
|
|> Many third party apps already have a makefile setup, why do you want
|> to change that ?
|
| Writing a recipe does not involve changing the existing Makefile. If the
| existing Makefile is written properly, then the recipe should be about 5
| lines long.
|
| But the major reason to do this is the one I gave below, which you
| didn't comment on.  Security and trust of third-party apps should be a
| very significant consideration for the Openmoko community.

Hey allow me to comment on it.  Openmoko doesn't break new ground in
having a distro, most of the issues furrowing brows here were solved
long ago in "proper distros" (and, if we directly used a proper distro
in the future, these issues would just magically work, but that's a
flamewar for another time).

Looking at Fedora, the solution is not to have a single point of fai- I
mean distribution and claim that this is especially "secure", the
solution is to crypto-sign the packages and have the public key on the
clients.  This is a very strong assertion you can trust -- no matter how
you came by the package -- that the holder of the private key authorized
the package build.  And indeed with that, Fedora gets to use a system of
mirror repos that are completely out of their control to distribute
their packages, but it is perefctly safe due to enforcement of sig
checking at the client.

Nor does it limit us to only having safe packages from "Mr Openmoko", if
we decide we want Pranav's packages we install his public key too and we
can safely eat packages from Pranav even if we found them on Usenet or
lying around on the street.  Anyone faking or meddling with Openmoko or
Pranav packages is SOL when we try to install them it is rejected with
"package payload differs from signature" or "missing signature", etc.

- -Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkg/yesACgkQOjLpvpq7dMpbEwCfbQdRVlXz5rvg4ByJx2/lxb3S
rKgAn1Vw6kFbEGhdBAqJ4+FlLTlZ2vMA
=4RrR
-----END PGP SIGNATURE-----

More information about the community mailing list