<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr"> <div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <p style="margin-top:0; margin-bottom:0">Hi,<br> </p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">However we decide to continue with the SigningService topic in the medium and longrun, I wanted to have one more go at unblocking the following PR in the short run:</p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0"><a href="https://github.com/pulp/pulpcore/pull/659" class="OWAAutoLink" id="LPlnk526330" previewremoved="true" tabindex="-1">https://github.com/pulp/pulpcore/pull/659</a></p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">Currently, this PR issues a warning whenever the hash of a signing service script has changed on disk (compared to when it was first validated).</p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">I think we are all in agreement that this is a bad compromise between doing nothing at all (since the script might have changed for legitimate reasons), and issuing a full on Error in cases where things are broken.<br> </p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">My proposal is the following:</p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">Instead of issuing a warning, a changed hash value on disk would trigger an automatic re-validation of the script on disk.</p> <p style="margin-top:0; margin-bottom:0">If the validation fails, it will throw a hard error (which would certainly be the correct course of action for a script that does not perform what the SigningService promises).</p> <p style="margin-top:0; margin-bottom:0">If the validation succeeds, the SigningService is updated with the new hash value, and everything continues as it nothing had happened (we just assume the script was changed for legitimate reasons).<br> </p> <p style="margin-top:0; margin-bottom:0"><br> The only thing I can come up with where this approach might be problematic, is if users want to have different versions of the signing service script on different workers (for some reason).</p> <p style="margin-top:0; margin-bottom:0">However, in such cases it would still be possible to work around the problem by having a single signing service script call a secondary script that differs on different workers.</p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">If you are worried that the possibility of such a workaround defeats the whole purpose of hashing the script in the first place, consider the following:</p> <p style="margin-top:0; margin-bottom:0">This is not intended as a security feature against some kind of malicious attacker scenario, it is intended to provide some more meaningful error reporting, for operational mistakes.<br> </p> In this context I almost consider it a bonus if Sysadmin users who want to do something rather unusual and complicated (different signing service scripts on different workers) are forced to think about this carefully.</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> Where to go from here:</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> If we can get some kind of agreement that we would be willing to merge the version of the above PR that I have proposed, I would ask Manisha to make the relevant changes and they could be reviewed and merged.</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> This would not prevent us from taking SigningServices into an entirely different direction in the future.</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> thanks,</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> Quirin (quba42)<br> </div> </div> </body> </html>