[Pulp-dev] Unblocking SigningService hash check PR

Quirin Pamp pamp at atix.de
Wed Jun 24 11:03:47 UTC 2020 

Hi,


However we decide to continue with the SigningService topic in the medium and longrun, I wanted to have one more go at unblocking the following PR in the short run:


https://github.com/pulp/pulpcore/pull/659


Currently, this PR issues a warning whenever the hash of a signing service script has changed on disk (compared to when it was first validated).


I think we are all in agreement that this is a bad compromise between doing nothing at all (since the script might have changed for legitimate reasons), and issuing a full on Error in cases where things are broken.



My proposal is the following:


Instead of issuing a warning, a changed hash value on disk would trigger an automatic re-validation of the script on disk.

If the validation fails, it will throw a hard error (which would certainly be the correct course of action for a script that does not perform what the SigningService promises).

If the validation succeeds, the SigningService is updated with the new hash value, and everything continues as it nothing had happened (we just assume the script was changed for legitimate reasons).

The only thing I can come up with where this approach might be problematic, is if users want to have different versions of the signing service script on different workers (for some reason).

However, in such cases it would still be possible to work around the problem by having a single signing service script call a secondary script that differs on different workers.


If you are worried that the possibility of such a workaround defeats the whole purpose of hashing the script in the first place, consider the following:

This is not intended as a security feature against some kind of malicious attacker scenario, it is intended to provide some more meaningful error reporting, for operational mistakes.

In this context I almost consider it a bonus if Sysadmin users who want to do something rather unusual and complicated (different signing service scripts on different workers) are forced to think about this carefully.


Where to go from here:

If we can get some kind of agreement that we would be willing to merge the version of the above PR that I have proposed, I would ask Manisha to make the relevant changes and they could be reviewed and merged.
This would not prevent us from taking SigningServices into an entirely different direction in the future.

thanks,
Quirin (quba42)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200624/02442ab3/attachment.htm>

More information about the Pulp-dev mailing list