Win32 packages released on sourceforge

Paul Millar paulm at astro.gla.ac.uk
Tue Mar 23 14:21:45 CST 2004 

On Tue, 23 Mar 2004, Dimitrie O. Paun wrote:
> > The rest is just a matter of agreeing what to put where and how to
> > register new binaries.

[Sorry, I was just meaning this was perhaps drifting OT for wine-devel]

> I thought Brian told you already how we're going to do this.

Yes I was told, but it could be made more secure without that much effort
now that the .zip files are being signed ... but its detail that could be
hammered out without wasting wine-devel bandwidth.

[...snip...]
>   -- store the MD5SUM key that you've computed into a sister file
>      with the name winetest-<YYYYMMDDhhmm>.zip.cookie. It's URL will be:
> 	http://theserver/path/winetest-<YYYYMMDDhhmm>.zip.cookie

This is redundant with the (detached) signatures.  But, just
s/.cookie/.sig/ and it works the same.

BTW, we can't just store the md5sums on the web page as DNS poisoning
would subvert the security.  Using signed binaries means we're secure (I
think ;) except for replay attacks and someone breaking into quisquiliae.  
The former is ameliorated by checking that the .ZIP file's creation date
is reasonable, but the latter is an inherent risk.


> Still to be decided:
[...snip...]
>   B. I guess that the GPG signature will do into the .zip file
>      as an ASCII file. How do we name that? I would prefer something
>      like 'winetest-<YYYYMMDDhhmm>.asc' or somesuch.

I'm currently signing the whole .zip file as a detached signature.  Like
with the md5sum .cookie idea, but called .sig.  Anyone should be able to
verify it with:
   gpg --verify winetest-<date>.zip.sig
(with winetest-<date>.zip in cwd).

If it passes, you know (with some certainty) that it came from the
auto-build machine.


>   C. You need to tell us _exactly_ what the 'http://theserver/path/'
>      is going to be. We need to store that on the WineHQ end to
>      protect against others doing nasty stuff with our distribution 
>      system. :)

By all means, but its redundant if the .ZIP file is signed.


[using signed binaries]
> Sounds good. Having it signed is a good idea, and you can go ahead and
> implement it. It may take us a bit longer to actually check the signature,
> but that's a different matter.

Hmmm, probably about the same speed.  AFAIK, gpg using md5sums internally
(within signatures), so its the time taken to decrypt a md5sum in the
signature, calculate the md5sum of the .ZIP file and compare the two.


> > Just as an aside, when do people in the US change their clocks?  Everyone
> > in the EU is changing to DLS-time (BST in the UK) this Sunday.
> 
> Does it matter? Is UTC dependant on the daylight savings time?

AFAIK, cron uses local time.  If US jumps at a different time, there may be 
additional headaches :^/

----
Paul Millar

More information about the wine-devel mailing list