[pkg] CurveDNS - review
Lukas Schwaighofer
lukas at schwaighofer.name
Mon Jun 26 22:28:00 UTC 2017
Hi Stéphane,
I've looked at your package more closely now. Suggestions follow below.
* patches:
- chroot.patch: I see you have taken that from a pull request. As you
don't currently use it you should drop it; it will be added with an
update if upstream accepts the request
- spelling.patch: you should create a pull request to get it merged
upstream!
- I think libsodium.patch and makefile.patch could be merged into one
single patch as it's a single objective: compile against libsodium
and not against the source included nacl library
* Documentation:
- You should document that the Debian version of curvedns is linked
against libsodium (which is a quite, but for our case I'd say
justified, deviation from upstream). My suggestion would be to
write this in the debian/curvedns.README.Debian file (which will
then be installed to /usr/share/doc/curvedns/).
- curvedns-keygen man page: The section "RUNNING CurveDNS" is outdated
now that we've dropped daemontools
- curvedns man page: The last paragraph of the description seems
plain wrong: the arguments are not part of /etc/default/curvedns and
there is no logic at all regarding KEYS_GENERATED
- Upstream's README.md and INSTALL.md should probably be installed to
/usr/share/doc. See dh_installdocs(1) on how to do that.
* because we dropped daemontools, /var/log/curvedns is now no longer
used; there is no need to create that directory any more.
* adduser in postinst: create group as well
it's free and separates it more strongly from other processes running
as nogroup (simply add `--group` to your adduser invocation and drop
the `--ingroup ...` part)
* UID/GID handling:
I would propose not adding UID and GID to /etc/default/curvedns.
These should not really be toched by the user. Instead I would
generate a suitable file in postinst that you can source in addition
to /etc/default/curvedns. I'll give you an example here that shows
how to do that with a here document (easier than printf):
cat <<EOF >/var/lib/curvedns/numeric_uid_gid
UID=$(id -u curvedns)
GID=$(id -g curvedns)
EOF
Then you can remove everything from postinst that writes to
/etc/default/curvedns and instead create all this configuration
statically in curvedns.default. That's important as it fixes a bug:
When calling `dpkg-reconfigure curvedns`, the whole part from postinst
is appended once more. Don't forget to clean up that file in postrm.
* init script (debian/curvedns.init):
the environment variables will not be available to the executed daemon
and there is no straight forward way I'm aware of to pass environment
variables through start-stop-daemon. The `env` binary can help in
some cases, but is not powerful enough to read the variables from a
file. One option would be to write a wrapper script and install it to
installed to /usr/lib/curvedns/ that does something like
#!/bin/sh
set -o allexport
. /path/to/sourcefile1
. /path/to/sourcefile2
exec real-daemon "$@"
* debconf and FQDN
Asking for the FQDN is wrong because
- you're not really asking for an FQDN (I don't see upstream calling
it that either)
- you don't need that information to start the software, in fact you
don't need to configure what you called FQDN at all as the
generated key is independent from the entered name (also covered
by the FAQ of upstream's INSTALL.md file)
So you should completely drop the debconf logic and don't ask any
questions during the installation.
Instead you should simply use curvedns-keygen (without parameters) in
postinst and parse the output. The curvedns daemon only needs the
Hex secret key to run (you can write that to the same file as
previously). However, in order to set up the zone for which curvedns
is run as forwarder, the admin will need at least the DNS public key
later to set up the NS record of his zone. You need to preserve that
information (probably a file in /etc/curvedns/ is still the best
place, even though it's not a configuration for curvedns).
Make sure the key cration in postinst is only performed once (i.e. if
the key exists it should not be overwritten). Additionally you should
document somewhere (e.g. in README.Debian) how to perform a key
rollover.
* Check if the instructions for how to curvedns interacts with other DNS
components are sufficient:
- interaction with the authoritative nameserver
- NS set (+ possibly glue records) installed in the parent zone; the
DNS public key is needed for that
In case you have not already, I'd suggest you try setting up the
complete system to test it. dqcache is packaged in Debian, so you
also have a DNScurve capable resolver ("recursive nameserver")
allowing you to check if everything actually works. :)
I hope everything I wrote is understandable. If you have any questions
or disagree with something let me know.
Good night
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170627/5892f113/attachment.sig>
More information about the Pkg-security-team
mailing list