<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'DejaVu Sans Mono'; font-size:9pt; font-weight:400; font-style:normal;">Hi Luis, Paul,<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>(Dropped the CC to linux-wireless as it rejected my other attempt to send<br>
message claiming it was part HTML/Spam. Apologies if you get two copies.)<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>On Friday 27 March 2009 14:00:20 Luis R. Rodriguez wrote:<br>
> On Wed, Mar 25, 2009 at 9:59 PM, Paul Wise <pabs@debian.org> wrote:<br>
> > On Thu, Mar 26, 2009 at 1:19 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:<br>
> ><br>
> >>> Brainwave: no need to add a second public key to CRDA itself, the<br>
> >>> wireless-regdb could install the public key corresponding to the<br>
> >>> private key it was built with.<br>
> >><br>
> >> Can you elaborate on what you mean? Do you mean for wireless-regdb to<br>
> >> put the actual pubkey into the users' system somewhere? Otherwise not<br>
> >> sure what you mean.<br>
> ><br>
> > The crda package would contain the default upstream public key.<br>
> ><br>
> > The wireless-regdb would ship the Debian maintainer's pubkey as<br>
> > debian/pubkeys/debian.pem in the source package and<br>
> > /lib/crda/pubkeys/debian.pub.pem (or similar) in the binary package.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>And all other pubkeys of members of packaging maintenance group.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> ><br>
> > Ubuntu would add their pubkey in a similar way.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Ubuntu probably cannot build and sign their own regulatory.bin: AFAIK they<br>
do source only uploads and package is built on remote buildd (with no access<br>
to privkey for signing). They seem to just install linvilles pre-compiled<br>
presigned regulatory.bin in the Ubuntu wireless-crda package and be happy<br>
with that. <br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> ><br>
> > When wireless-regdb is built, it would:<br>
> ><br>
> > check the sha1sum/sha256sum of db.txt (alternatively upstream could<br>
> > add a detached signature if possible to the tarball/git repo)<br>
> ><br>
> > if the db.txt is identical to the upstream one (or signed by<br>
> > upstream), ship the upstream regulatory.bin file<br>
> ><br>
> > if the db.txt has been modified:<br>
> ><br>
> > if no private key is available, generate one automatically<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I would rather the build process fail if the packager has not prepared<br>
themselves a priv/pub key pair for maintaining wireless-regdb package or<br>
else we could end up with a new key pair created on-the-fly and being used<br>
to sign a regulatory.bin which is not recognised by the currently available<br>
crda until it is recompiled with the new key in its PUBKEY_DIR.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Instead the debian packaging could provide some documentation/convenience<br>
code for expected handling of maintainer priv/pub key pairs for signing<br>
and authentication of regulatory.bin. Attempted to write such stuff here:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>$ svn cat svn://svn.debian.org/svn/pkg-wpa/wireless-regdb/trunk/debian/README.maintainer<br>
---<br>
Add to debian/pubkeys all public keys which crda should consider when<br>
verifying regulatory.bin. This should include all members of the pkg-wpa-devel<br>
team who plan to work on or upload wireless-regdb or crda.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>To generate an openssl key pair for packaging purposes:<br>
make -f debian/rules install-distro-key<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>This should create:<br>
~/.wireless-regdb-pkg-wpa-devel.key.priv.pem<br>
~/.wireless-regdb-pkg-wpa-devel.key.pub.pem<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Copy the pubkey to debian/pubkeys and commit it to the VCS:<br>
cp ~/.wireless-regdb-pkg-wpa-devel.key.pub.pem \<br>
debian/pubkeys/pkg-wpa-devel-${USER}.pub.pem<br>
svn add debian/pubkeys/pkg-wpa-devel-${USER}.pub.pem<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>When new keys are added to debian/pubkeys, the crda package needs to be<br>
rebuilt with an updated versioned build dependency: the wireless-regdb<br>
package version with the new key(s).<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>When building this package, the private key must be accessible so that<br>
regulatory.bin can be signed by it to ensure the path of authentication<br>
for the regulatory domain database is as good as possible. It does however<br>
mean that the package cannot be built in a clean chroot (eg. pbuilder)<br>
without having your ~/ bind mounted in it.<br>
---<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> ><br>
> > rebuild the regulatory.bin file using the private key<br>
> ><br>
> > create the corresponding public key and install it in the package as<br>
> > /lib/crda/pubkeys/custom.pub.pem when it is not the same public key as<br>
> > one of the ones in debian/pubkeys/*.pem (avoids shipping two copies of<br>
> > the Debian pubkey)<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The pubkeys are small enough to not bother adding code and worry about having<br>
a duplicate key in /lib/crda/pubkeys/ I think. At least at this stage it is<br>
least of packaging worries.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> ><br>
> > this scheme requires standard locations for the private key. I would<br>
> > suggest either ~/.debian-wireless-regdb.priv.pem or<br>
> > debian-wireless-regdb.priv.pem in the package build directory.<br>
> ><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Luis added some support code to handle this in wireless-regdb Makefile<br>
recently.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> >>>> It is possible for users to add more public keys to the CRDA pubkeys<br>
> >>>> dir and build their own wireless-regdb using their own private key.<br>
> >>><br>
> >>> The above simplification makes this much easier.<br>
> >><br>
> >> Not sure what you mean, but the idea with the pubkeys directory<br>
> ><br>
> > The above scheme would allow users who apt-get source wireless-regdb,<br>
> > edit db.txt, debuild, debi to automatically trust their own key, as<br>
> > well as trusting Debian's key and the upstream key.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Made an attempt at packaging wireless-regdb and crda after thinking about<br>
stuff discussed in this thread, the proposed packaging is at:<br>
svn://svn.debian.org/svn/pkg-wpa/wireless-regdb/trunk/<br>
svn://svn.debian.org/svn/pkg-wpa/crda/trunk/<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Can people please take a good look at this please to make sure it is a viable<br>
packaging effort?<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Thanks, Kel.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html>