Buildd autosigning
Original notes from earlier discussions
Ftpmaster Wishlist for accepting automatically signed uploads
Buildd host requirements
The host has to be maintained by DSA, included in all the usual DSA setups (ldap, nagios, whatever).
At DSA discretion, either
- The host runs a local packet filter that disallows everything for incoming and outgoing except
- incoming SSH from a limited number of known hosts
- outgoing SSH to the wanna-build and to the upload host
- outgoing HTTP to the local mirror and to ftp-master (or HTTPS)
- outgoing and incoming SMTP from/to a SMTP relay from .debian.org
- other ports as needed by DSA (e.g. nagios), but as few as possible
OR
- The host runs a local packet filter that drops all outgoing network packets from a specific uid (--match owner), ie. from the buildd itself. (This uid would be allowed to reach the upload target host via rsync, but nothing else)
Rationale for this is that no buildd should have network access. Not only is that a requirement that should be enforced anyways, but it would also nicely break security for autosigning. It is way too easy to upload a package with a malicious debian/rules, downloading something from the network during build time - and bang the changeroot is untrusted. Disallowing network access helps to prevent this.
Limited access to the machine, no unneeded / unused user accounts.
General
Every buildd host gets an own GPG key.
The GPG key has to include a full email address, arch-$builddname@buildd.debian.org and the buildd uses that address for his Maintainer field too, ie. no field without a mail address is used anymore! (Fix your spamfilter, damnit :) )
The GPG key used for this has to be handled like this:
- The buildd admin generates it on a machine they own. Not the buildd, not wb.d.o or whatever.
- Send in the public part of the primary key to ftpmaster, to have it put into the keyring they maintain
- They generate a new signing subkey every 3 months.
- Key updates are done by signed mail to ftpmaster. (Address to be defined). They should be installed automagically. New subkeys for existing buildd keys are accepted automagically, replacing the old key.
Uploads from buildd host are done via rsync over ssh into a special queue on the upload host that only accepts the currently valid GPG keys. (So the ssh keys are limited to only allow connections from one IP, the buildd, so uploads are only able to get onto ftpmaster if they are passed via the buildd host)
Uploads signed by those keys are only accepted if they are binary-only. An automated key will never be able to upload any kind of source.
The keys are limited to one architecture only.