[pkg-wpa-devel] Fwd: Packaging crda and wireless-regdb

Luis R. Rodriguez mcgrof at gmail.com
Fri Jan 30 00:12:23 UTC 2009 

On Thu, Jan 29, 2009 at 3:34 PM, Kel Modderman <kel at otaku42.de> wrote:
> On Friday 30 January 2009 07:00:32 Luis R. Rodriguez wrote:
>> Hey Kel,
>>
>> I sent an e-mail to debian-devel a few days ago asking for advice on
>> getting some packages into Debian [1]. They recommended I contact the
>> wpasupplicant maintainer which I believe is you. I'd like to help get
>> two packages into debian, crda and wireless-regd.
>
> Hi Luis,
>
> I had seen the original mail to debian-devel mailing list already but have been
> unable to make meaningful response to it this week. So this is a very very
> quick brainstorm:
>
> * Tim Gardner announced intention to package this stuff up for Ubuntu on linux
>  wireless mailing iirc. Usually Ubuntu people co-operate with Debian people to
>  lessen their future workload (by getting package into Debian somehow). I
>  wonder what the status of the Ubuntu work is, if they have intention to
>  co-operate with Debian people, and if duplication of effort could be
>  avoided?

Tim has packed up both crda and wireless-regdb into one package,
someone which I advise against as crda can remain intact while most
updates will probably come through the wireless-regdb package. Anyway
last I checked out the Ubuntu package it seemed fine and I sent some
final comments to Tim about it.

If one package can be used for both Ubuntu and Debian it would be great.

> * wireless-regdb ... I don't really know how I can explain my thoughts clearly
>  here ... just correct any wrong assumptions I make.
>
>  The release tarball contains a precompiled binary (regulatory.bin), and the
>  build system defaults to simply installing this binary with the usual
>  "make && make install". I think this default is not in agreement with Debian
>  Free Software Guidelines, a prospective Debian wireless-regdb package
>  should be building regulatory.bin from its source files (which are the
>  preferred point of modification).
>
>  If regulatory.bin is built from its source in Debian package, I am not sure
>  how this openssl rsa digital signature snakeoil fits into the equation. Its
>  purpose is to "ensure regulatory.bin file authorship and integrity", but in
>  Debian this extra file trust/integrity check seems redundant as apt already
>  must be configured to grab stuff from a trusted source (via gpg), only
>  trusted people can upload software which gets built and distributed to users
>  via apt, file integrity can be verified via debsums etc etc ... Obviously
>  John Linville cannot log on to each Debian package build daemon and sign it
>  after it has been built either :)
>
>  Why is it important that regulatory.bin contains an rsa signature on a Debian
>  system which already goes to great lengths to ensure file ownership and
>  integrity? What significance is it if the database is unsigned or signed by
>  someone != John Linville?

Note that both crda and wireless-regdb allows you to build it without
RSA key signature checking, if this is something you find useless then
do not use them, but I'd advise against it. The reason RSA digital
signature checks are an option and what I recommend is that regulatory
bodies are highly sensitive towards compliance and the current
infrastructure we have gives us best effort on our part of doing the
best we can to ensure integrity of the files and also gives us a
mechanism to use files from trusted parties on-the-fly. Distribution
packaging tends to guarantee file integrity upon installation time and
from a specific source but it does not give you on-the-fly file
integrity checks. Integrity checks are possible through alternate
means such as simple CRC checks but you'd then need a list of all
allowed CRCs, by using RSA digital signatures you get both file
integrity checks for _any_ binary built with the private key by
checking for the signature -- and while at it you also can get file
authorship protection -- all of this while the file is being read for
usage in memory. Distributions do protect against file corruption
after the files are in place, for example.

John Linville is the default trusted party in CRDA  if you enable
enable libgcrypt or openssl because he is the maintainer of the
wireless-regdb. But note that CRDA lets you enable multiple trusted
parties by letting you throw in alternative public keys into the
pubkeys directory. If your distribution requires you to _build_ your
own regulatory.bin then simply add your own pubkey into the pubkeys.
CRDA will then run using a regulatory.bin built by John Linville or
Debian's wirelss-regdb package maintainer. It allows users to upgrade
using debian's built regulatory.bin, or simply upgrade to using
John's.

> * This pkg-wpa team doesn't have many other frequently active maintainers.
>  I think crda + wireless-regdb will present some challenges in the future
>  which will require more than I could offer by myself (especially in regards
>  to responding quickly and meaningfully to bug reports sent to BTS).
>  pkg-wpa-devel group is intended to be shared by people with interest in
>  Debian and/or Ubuntu too, btw.

I can help but I think at this point it may be best to try to converge
to use Tim's package and address any pending issues for inclusion into
debian.

Kel -- let me know what you think of the above.
Tim -- any chance we can split wireless-regdb and crda in Ubuntu? Also
can we work towards getting these into Debian?

What about iw? Anyone have that covered yet?

  Luis

More information about the Pkg-wpa-devel mailing list