GNU bug report logs -
#45344
[Patch 0/2] Libwaive for signify
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 45344 in the body.
You can then email your comments to 45344 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 20 Dec 2020 18:50:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vincent Legoll <vincent.legoll <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 20 Dec 2020 18:50:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The following series adds libwaive, use it
for signify, and remove the TODO item.
I don't know if the test I did is sufficient to
ensure that the libwaive was used but the
following worked OK:
wget https://ftp.openbsd.org/pub/OpenBSD/6.8/openbsd-68-base.pub
wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/miniroot68.img
wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256
sha256sum -c --ignore-missing SHA256
wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256.sig
signify -Cp ./openbsd-68-base.pub -x SHA256.sig miniroot68.img
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 20 Dec 2020 18:54:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 45344 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/linux.scm (libwaive): New variable.
---
gnu/packages/linux.scm | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2a9aafb50e..a7acab615a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -2526,6 +2526,30 @@ Linux-based operating systems.")
(define-deprecated libcap/next libcap)
(export libcap/next)
+(define-public libwaive
+ ;; There's no release
+ (let ((commit "cdf7c1688dd13e86edd3536b9885b790b0f552e4")
+ (revision "1"))
+ (package
+ (name "libwaive")
+ (version (git-version "0.0.0" revision commit))
+ (home-page "https://github.com/dimkr/libwaive")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url home-page)
+ (commit commit)))
+ (sha256
+ (base32 "1wzy8wqryd26bs6vl8r6sx5jai7afsz0brvjczcpzlfwa7c6c1nn"))
+ (file-name (git-file-name name version))))
+ (build-system cmake-build-system)
+ (arguments '(#:tests? #f))
+ (native-inputs
+ `(("libseccomp" ,libseccomp)))
+ (synopsis "")
+ (description "")
+ (license license:x11))))
+
(define-public bridge-utils
(package
(name "bridge-utils")
--
2.29.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 20 Dec 2020 18:54:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 45344 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/crypto.scm (native-inputs): Add libseccomp & libwaive.
(arguments): Add PLEDGE variable to #:make-flags.
---
gnu/packages/crypto.scm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index 1b51366d7e..0b446c08e2 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -154,17 +154,17 @@ communication, encryption, decryption, signatures, etc.")
(base32
"11l67j04gyxnlw6zrzsygqs5cgsc1sww1rh0apl05yay131hd17n"))))
(build-system gnu-build-system)
- ;; TODO Build with libwaive (described in README.md), to implement something
- ;; like OpenBSD's pledge().
(arguments
`(#:make-flags
- (list "CC=gcc"
+ (list "CC=gcc" "PLEDGE=waive"
(string-append "PREFIX=" (assoc-ref %outputs "out")))
#:phases
(modify-phases %standard-phases
(delete 'configure))))
(native-inputs
- `(("pkg-config" ,pkg-config)))
+ `(("pkg-config" ,pkg-config)
+ ("libseccomp" ,libseccomp)
+ ("libwaive" ,libwaive)))
(inputs
`(("libbsd" ,libbsd)))
(synopsis "Create and verify cryptographic signatures")
--
2.29.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 20 Dec 2020 18:56:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 45344 <at> debbugs.gnu.org (full text, mbox):
Yes, it's missing a proper description & synopsis.
I'll add those, but will accept feedback anyways.
Thanks
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sat, 20 Feb 2021 18:48:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 45344 <at> debbugs.gnu.org (full text, mbox):
On Sun, Dec 20, 2020 at 07:49:22PM +0100, Vincent Legoll wrote:
> The following series adds libwaive, use it
> for signify, and remove the TODO item.
>
> I don't know if the test I did is sufficient to
> ensure that the libwaive was used but the
> following worked OK:
>
> wget https://ftp.openbsd.org/pub/OpenBSD/6.8/openbsd-68-base.pub
> wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/miniroot68.img
> wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256
> sha256sum -c --ignore-missing SHA256
> wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256.sig
> signify -Cp ./openbsd-68-base.pub -x SHA256.sig miniroot68.img
Well, as long as signify keeps working, these extra security features
are offered as "best effort" on Linux. From what I can see, the only
OpenBSD software that is fully supported on Linux is OpenSSH. So, we are
only missing the description and synopsis.
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sat, 20 Feb 2021 19:07:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 45344 <at> debbugs.gnu.org (full text, mbox):
Hello,
On Sat, Feb 20, 2021 at 7:46 PM Leo Famulari <leo <at> famulari.name> wrote:
> Well, as long as signify keeps working, these extra security features
> are offered as "best effort" on Linux. From what I can see, the only
> OpenBSD software that is fully supported on Linux is OpenSSH. So, we are
> only missing the description and synopsis.
Yes, I'm not knowledgeable enough to check for sure that this is really
enhancing security or anything else, but saw the light^Wcomment and
tried to do it... It certainly is more interesting than bare boring package
version updates (which I'll still continue to do anyways though).
I'll update the patch with desc and synopsis.
Thanks
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sat, 20 Feb 2021 21:39:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 45344 <at> debbugs.gnu.org (full text, mbox):
This one is not ready anyways, signify still uses the
bundled libwaive, I have to handle that properly as
well...
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sat, 20 Feb 2021 23:10:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 45344 <at> debbugs.gnu.org (full text, mbox):
On Sat, Feb 20, 2021 at 10:38:00PM +0100, Vincent Legoll wrote:
> This one is not ready anyways, signify still uses the
> bundled libwaive, I have to handle that properly as
> well...
Alright.
I noticed that libwaive hasn't been active in a few years. I wonder if
it's something we should pursue...
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 21 Feb 2021 09:56:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 45344 <at> debbugs.gnu.org (full text, mbox):
Hello,
On Sun, Feb 21, 2021 at 12:09 AM Leo Famulari <leo <at> famulari.name> wrote:
> I noticed that libwaive hasn't been active in a few years. I wonder if
> it's something we should pursue...
libwaive is a single-file C (~300 LOCs [1]) source code library, I glanced over
it and it looks straightforward enough. I compared it to the seccomp manpage
[2] code samples and saw nothing suspicious.
I think it may not have been updated for newly added syscalls, but that
should not make it unsecure, mainly because what is not explicitely allowed
is prevented from use (default-locked policy [3]).
So, I'll wait for a bit more feedback before working on this, but I think
it may still be a worthwhile addition.
WDYT ?
[1] https://github.com/dimkr/libwaive/blob/master/waive.c
[2] https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html
[3] https://en.wikipedia.org/wiki/Seccomp
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org:
bug#45344; Package
guix-patches.
(Sun, 21 Feb 2021 19:05:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 45344 <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 21, 2021 at 10:55:16AM +0100, Vincent Legoll wrote:
> Hello,
>
> On Sun, Feb 21, 2021 at 12:09 AM Leo Famulari <leo <at> famulari.name> wrote:
> > I noticed that libwaive hasn't been active in a few years. I wonder if
> > it's something we should pursue...
>
> libwaive is a single-file C (~300 LOCs [1]) source code library, I glanced over
> it and it looks straightforward enough. I compared it to the seccomp manpage
> [2] code samples and saw nothing suspicious.
>
> I think it may not have been updated for newly added syscalls, but that
> should not make it unsecure, mainly because what is not explicitely allowed
> is prevented from use (default-locked policy [3]).
>
> So, I'll wait for a bit more feedback before working on this, but I think
> it may still be a worthwhile addition.
>
> WDYT ?
I think you've done all the things a reviewer would ask for, so please
proceed as you see fit :)
bug closed, send any further explanations to
45344 <at> debbugs.gnu.org and Vincent Legoll <vincent.legoll <at> gmail.com>
Request was from
Vincent Legoll <vincent.legoll <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Sat, 15 Jun 2024 09:44:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 13 Jul 2024 11:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 300 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.