[pkg-wpa-devel] Fwd: Packaging crda and wireless-regdb

Kel Modderman kel at otaku42.de
Sun Feb 1 21:03:15 UTC 2009 

On Friday 30 January 2009 10:12:23 Luis R. Rodriguez wrote:
> Tim has packed up both crda and wireless-regdb into one package,
> someone which I advise against as crda can remain intact while most
> updates will probably come through the wireless-regdb package. Anyway
> last I checked out the Ubuntu package it seemed fine and I sent some
> final comments to Tim about it.

Diverging from upstream released tarballs is painful.

> 
> If one package can be used for both Ubuntu and Debian it would be great.
> 
> > * wireless-regdb ... I don't really know how I can explain my thoughts clearly
> >  here ... just correct any wrong assumptions I make.
> >
> >  The release tarball contains a precompiled binary (regulatory.bin), and the
> >  build system defaults to simply installing this binary with the usual
> >  "make && make install". I think this default is not in agreement with Debian
> >  Free Software Guidelines, a prospective Debian wireless-regdb package
> >  should be building regulatory.bin from its source files (which are the
> >  preferred point of modification).
> >
> >  If regulatory.bin is built from its source in Debian package, I am not sure
> >  how this openssl rsa digital signature snakeoil fits into the equation. Its
> >  purpose is to "ensure regulatory.bin file authorship and integrity", but in
> >  Debian this extra file trust/integrity check seems redundant as apt already
> >  must be configured to grab stuff from a trusted source (via gpg), only
> >  trusted people can upload software which gets built and distributed to users
> >  via apt, file integrity can be verified via debsums etc etc ... Obviously
> >  John Linville cannot log on to each Debian package build daemon and sign it
> >  after it has been built either :)
> >
> >  Why is it important that regulatory.bin contains an rsa signature on a Debian
> >  system which already goes to great lengths to ensure file ownership and
> >  integrity? What significance is it if the database is unsigned or signed by
> >  someone != John Linville?
> 
> Note that both crda and wireless-regdb allows you to build it without
> RSA key signature checking, if this is something you find useless then
> do not use them, but I'd advise against it. The reason RSA digital
> signature checks are an option and what I recommend is that regulatory
> bodies are highly sensitive towards compliance and the current
> infrastructure we have gives us best effort on our part of doing the
> best we can to ensure integrity of the files and also gives us a
> mechanism to use files from trusted parties on-the-fly. Distribution
> packaging tends to guarantee file integrity upon installation time and
> from a specific source but it does not give you on-the-fly file
> integrity checks. Integrity checks are possible through alternate
> means such as simple CRC checks but you'd then need a list of all
> allowed CRCs, by using RSA digital signatures you get both file
> integrity checks for _any_ binary built with the private key by
> checking for the signature -- and while at it you also can get file
> authorship protection -- all of this while the file is being read for
> usage in memory. Distributions do protect against file corruption
> after the files are in place, for example.
> 
> John Linville is the default trusted party in CRDA  if you enable
> enable libgcrypt or openssl because he is the maintainer of the
> wireless-regdb. But note that CRDA lets you enable multiple trusted
> parties by letting you throw in alternative public keys into the
> pubkeys directory. If your distribution requires you to _build_ your
> own regulatory.bin then simply add your own pubkey into the pubkeys.
> CRDA will then run using a regulatory.bin built by John Linville or
> Debian's wirelss-regdb package maintainer. It allows users to upgrade
> using debian's built regulatory.bin, or simply upgrade to using
> John's.

Our distribution requires to compile the binary from source code which
is the preferred point of modification (should it need to be modified for
whatever reason).

Debian packages are not always built by the same person, or even built in
a temporary chroot where private keys are not available for signing.

The current wireless-regdb build system doesn't support building an unsigned
binary, though I can now see it can be done with modification after your hint.
Ideally, I would not want to carry a patch to allow an unsigned build to
succeed for every new version, it would be nice if this was supported by the
build system.

> 
> > * This pkg-wpa team doesn't have many other frequently active maintainers.
> >  I think crda + wireless-regdb will present some challenges in the future
> >  which will require more than I could offer by myself (especially in regards
> >  to responding quickly and meaningfully to bug reports sent to BTS).
> >  pkg-wpa-devel group is intended to be shared by people with interest in
> >  Debian and/or Ubuntu too, btw.
> 
> I can help but I think at this point it may be best to try to converge
> to use Tim's package and address any pending issues for inclusion into
> debian.
> 
> Kel -- let me know what you think of the above.

I think the signing of the regulatory database binary represents immediate
challenges to packaging it properly for acceptance into Debian archive. These
are not easy for me to work out, noone else from pkg-wpa-devel has joined the
discussion, so I'm a little nervous to commit myself to future package
maintenance.

> Tim -- any chance we can split wireless-regdb and crda in Ubuntu? Also
> can we work towards getting these into Debian?
> 
> What about iw? Anyone have that covered yet?

Yeah, it's in Debian experimental already. An ubuntu bloke, Loïc Minier, just
recently reviewed it for inclusion in Ubuntu's core/main archive, so I guess
they'll pick it up soon too.

Thanks, Kel.

More information about the Pkg-wpa-devel mailing list