[pkg-wpa-devel] Fwd: Packaging crda and wireless-regdb

Luis R. Rodriguez mcgrof at gmail.com
Fri Jan 30 00:21:06 UTC 2009 

On Thu, Jan 29, 2009 at 4:12 PM, Luis R. Rodriguez <mcgrof at gmail.com> wrote:
> On Thu, Jan 29, 2009 at 3:34 PM, Kel Modderman <kel at otaku42.de> wrote:
>> On Friday 30 January 2009 07:00:32 Luis R. Rodriguez wrote:
>>> Hey Kel,
>>>
>>> I sent an e-mail to debian-devel a few days ago asking for advice on
>>> getting some packages into Debian [1]. They recommended I contact the
>>> wpasupplicant maintainer which I believe is you. I'd like to help get
>>> two packages into debian, crda and wireless-regd.
>>
>> Hi Luis,
>>
>> I had seen the original mail to debian-devel mailing list already but have been
>> unable to make meaningful response to it this week. So this is a very very
>> quick brainstorm:
>>
>> * Tim Gardner announced intention to package this stuff up for Ubuntu on linux
>>  wireless mailing iirc. Usually Ubuntu people co-operate with Debian people to
>>  lessen their future workload (by getting package into Debian somehow). I
>>  wonder what the status of the Ubuntu work is, if they have intention to
>>  co-operate with Debian people, and if duplication of effort could be
>>  avoided?
>
> Tim has packed up both crda and wireless-regdb into one package,
> someone which I advise against as crda can remain intact while most
> updates will probably come through the wireless-regdb package. Anyway
> last I checked out the Ubuntu package it seemed fine and I sent some
> final comments to Tim about it.
>
> If one package can be used for both Ubuntu and Debian it would be great.
>
>> * wireless-regdb ... I don't really know how I can explain my thoughts clearly
>>  here ... just correct any wrong assumptions I make.
>>
>>  The release tarball contains a precompiled binary (regulatory.bin), and the
>>  build system defaults to simply installing this binary with the usual
>>  "make && make install". I think this default is not in agreement with Debian
>>  Free Software Guidelines, a prospective Debian wireless-regdb package
>>  should be building regulatory.bin from its source files (which are the
>>  preferred point of modification).
>>
>>  If regulatory.bin is built from its source in Debian package, I am not sure
>>  how this openssl rsa digital signature snakeoil fits into the equation. Its
>>  purpose is to "ensure regulatory.bin file authorship and integrity", but in
>>  Debian this extra file trust/integrity check seems redundant as apt already
>>  must be configured to grab stuff from a trusted source (via gpg), only
>>  trusted people can upload software which gets built and distributed to users
>>  via apt, file integrity can be verified via debsums etc etc ... Obviously
>>  John Linville cannot log on to each Debian package build daemon and sign it
>>  after it has been built either :)
>>
>>  Why is it important that regulatory.bin contains an rsa signature on a Debian
>>  system which already goes to great lengths to ensure file ownership and
>>  integrity? What significance is it if the database is unsigned or signed by
>>  someone != John Linville?
>
> Note that both crda and wireless-regdb allows you to build it without
> RSA key signature checking, if this is something you find useless then
> do not use them, but I'd advise against it. The reason RSA digital
> signature checks are an option and what I recommend is that regulatory
> bodies are highly sensitive towards compliance and the current
> infrastructure we have gives us best effort on our part of doing the
> best we can to ensure integrity of the files and also gives us a
> mechanism to use files from trusted parties on-the-fly. Distribution
> packaging tends to guarantee file integrity upon installation time and
> from a specific source but it does not give you on-the-fly file
> integrity checks. Integrity checks are possible through alternate
> means such as simple CRC checks but you'd then need a list of all
> allowed CRCs, by using RSA digital signatures you get both file
> integrity checks for _any_ binary built with the private key by
> checking for the signature -- and while at it you also can get file
> authorship protection -- all of this while the file is being read for
> usage in memory.

>Distributions do protect against file corruption
> after the files are in place, for example.

I meant "Distributions do not".

BTW this is now part of the wiki:

http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature

  Luis

More information about the Pkg-wpa-devel mailing list