[Fwd: Re: bazaar.conf - decisions]

John A Meinel john at arbash-meinel.com
Tue Oct 11 04:06:18 BST 2005 

I accidentally replied off list.
John
=:->

-------- Original Message --------
Subject: Re: bazaar.conf - decisions
Date: Tue, 11 Oct 2005 08:20:46 +1000
From: Robert Collins <robertc at robertcollins.net>
To: John A Meinel <john at arbash-meinel.com>
References: <1128934620.12199.60.camel at localhost.localdomain>
<434A76A7.4010603 at arbash-meinel.com>

Did you mean to reply off-list ? I don't mind, just noting it. if not,
well, just forward this to the list ;0

On Mon, 2005-10-10 at 09:11 -0500, John A Meinel wrote:
> Robert Collins wrote:
> > So, this week I plan to be hacking on GPG support, which will need a
> > local policy for saying 'please check signatures on signed branches' or
> > 'please expect branch X to always be signed' etc.
> >
> > So we talked about a config file a while back. heres a strawman for it:
> >
> > ~/.bazaar/bazaar.conf
> > ====
> > [DEFAULT]
> > email=Robert Collins <robertc at robertcollins.net>
> > editor=vim
> > gpg_signing_command=gnome-gpg
> >
> > # other sections may be put here in future.
> > ====
>
> ~/.bazaar/bazaar.conf seems reasonable.
> But ~/.bazaar/branches.conf I'm not so sure about.
>
> >
> > ~/.bazaar/branches.conf
> > ====
> > # default behaviour is to check things that look signed
> > #
> > # force off signing on my local corporate stuff
> > [source/canonical/]
> > # the above is a relative URL to $HOME
> > # the trailing slash tells bzr it should apply this policy to everything
> > # under /source/canonical
> > check_signatures=never-check
>
> Since this isn't an absolute path, what is it relative to? Your home
> directory? On windows, you don't really have the same concept (I know I
> usually work in H:/dev/...
> Though my $HOME would be C:/Documents and Settings/jameinel/

So, I think relative path support from $HOME would be really nice for
unix users. And for windows users, just use an absolute one - i.e.
[file:///H|/dev/]
or
[/H|/dev/]

> I would tend to make these absolute paths.
> But really, because of the distributed neighbor, it seems like it would
> be better to have:
> $wd/.bzr/signature
>
> Or are these supposed to be regex or glob characters.

so we will need a .bzr/signature or similar *too*, but we cannot set
security policy for an object FOO from within FOO, unless we have a TCB
which guarantees a minimum level of audit/authentication to check that
no one has modified the security policy. We dont have that =-> cannot
set in the branch.

> Certainly I would assume that "sftp://chinstrap" is meant to match
> everything on chinstrap (as in "sftp://chinstrap/*")

So one common thing in complex projects is:
/source/foo-root
/source/foo-root/subproject

and the policy for foo-root MAY or MAY NOT affect subproject. We need
some way to easily specify both of these choices. '/' seemed like the
easiest solution for PQM, and it seems to work well there. Also for
browsers and web servers, foo/ and foo are different, and I think most
people will get that easily enough.

> >
> > [sftp://chinstrap/]
> > # but I should verify everything I am pulling locally
> > check_signatures=must-be-signed
> >
> > [source/canonical/3rdparty/external/project]
> > # this is an exact spec - subtrees will not be affected,
> > # and .../project will override all parent policies
> > # This project does not use signatures
> > check_signatures=automatic
> > ====
> >
> > branches.conf and bazaar.conf may be written to by bzr, using atomicfile
> > for reliability. We need a local policy for gpg, because otherwise there
> > is a glaring hole in the system - a remote attacker can just strip
> > signatures. Other things, like a prefix for where to push to, if you
> > have a regular layout of your branches, can also go here in future.
>
> It seems like you are designing for Canonical's regular layout. Which
> may be wonderful, but I don't know that everyone is going to follow it.
>
> I understand your argument for needing a local policy. I'm just not sure
> how to implement it. I think having a regex or a glob might work.

regexs are too complex, globs dont add much over simple prefixes but
cost much more to compute, and also add confusion about what counts as
the 'closest match'. I think prefixs are much clearer for users.

> I think you could also implement the config item as:
>
> signatures=check-if-available
> signatures=require
> signatures=ignore

Sure, I like that.

Rob


--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20051010/225f1944/attachment.pgp

More information about the bazaar mailing list