this repo has no description
anil.recoil.org
1opam-version: "2.0"
2homepage: "https://github.com/hannesm/conex"
3dev-repo: "git+https://github.com/hannesm/conex.git"
4bug-reports: "https://github.com/hannesm/conex/issues"
5doc: "https://hannesm.github.io/conex/doc"
6maintainer: ["Hannes Mehnert <hannes@mehnert.org>"]
7license: "BSD-2-Clause"
8
9build: [
10 [
11 "ocaml"
12 "pkg/pkg.ml"
13 "build"
14 "--pinned"
15 "%{pinned}%"
16 "--tests"
17 "false"
18 "--with-format"
19 "%{opam-format:installed}%"
20 ]
21 ["ocaml" "pkg/pkg.ml" "build" "--pinned" "%{pinned}%" "--tests" "true"]
22 {with-test}
23 ["ocaml" "pkg/pkg.ml" "test"] {with-test}
24]
25depends: [
26 "ocaml" {>= "4.03.0" & < "5.0.0"}
27 "ocamlfind" {build}
28 "ocamlbuild" {build}
29 "topkg" {build}
30 "cmdliner"
31 "opam-file-format" {>= "2.0.0~beta"}
32 "cstruct" {>= "1.6.0"}
33 "nocrypto" {>= "0.5.3"}
34 "x509" {>= "0.4.0" & < "0.7.0"}
35 "alcotest" {with-test}
36 "logs"
37 "fmt"
38 "rresult"
39 "astring"
40]
41depopts: [
42 "opam-format"
43]
44synopsis: "Establish trust in community repositories"
45description: """
46[Conex](https://github.com/hannesm/conex) is a library to verify and attest release integrity and
47authenticity of a community repository through the use of cryptographic signatures.
48
49NOTE: This is still work in progress, to be deployed with opam 2.0 and the [opam
50repository](https://github.com/ocaml/opam-repository). A [getting started
51with conex article](https://hannes.robur.coop/Posts/Conex) is online.
52
53
54
55Packages are collected in a community repository to provide an index and
56allowing cross-references. Authors submit their packages to the repository. which
57is curated by a team of janitors. Information
58about a package stored in a repository includes: license, author, releases,
59their dependencies, build instructions, url, tarball checksum. When someone
60publishes a new package, the janitors integrate it into the repository, if it
61compiles and passes some validity checks. For example, its name must not be misleading,
62nor may it be too general.
63
64Janitors keep an eye on the repository and fix emergent failures. A new
65compiler release, or a release of a package on which other packages depend, might break the compilation of
66a package. Janitors usually fix these problems by adding a patch to the build script, or introducing
67a version constraint in the repository.
68
69*Conex* ensures that every release of each package has been approved by its author or a quorum of janitors.
70A conex-aware client initially verifies the repository using janitor key fingerprints as anchor.
71Afterwards, the on-disk repository is trusted, and every update is verified (as a patch) individually.
72This incremental verification is accomplished by ensuring all resources
73that the patch modifies result in a valid repository with
74sufficient approvals. Additionally, monotonicity is preserved by
75embedding counters in each resource, and enforcing a counter
76increment after modification.
77This mechanism avoids rollback attacks, when an
78attacker presents you an old version of the repository.
79
80Opam2 has support for a [`repository validation
81command`](http://opam.ocaml.org/doc/2.0/Manual.html#configfield-repository-validation-command)
82which `conex_verify` is supposed to be in the future.
83
84A timestamping service (NYI) will periodically approve a global view of the
85verified repository, together with a timestamp. This is then used by the client
86to prevent mix-and-match attacks, where an attacker mixes some old packages and
87some new ones. Also, the client is able to detect freeze attacks, since at
88least every day there should be a new signature done by the timestamping service.
89
90The trust is rooted in digital signatures by package authors. The server which
91hosts the repository does not need to be trusted. Neither does the host serving
92release tarballs.
93
94If a single janitor would be powerful enough to approve a key for any author,
95compromising one janitor would be sufficient to enroll any new identities,
96modify dependencies, build scripts, etc. In conex, a quorum of janitors (let's
97say 3) have to approve such changes. This is different from current workflows,
98where a single janitor with access to the repository can merge fixes.
99
100Conex adds metadata, in form of resources, to the repository to ensure integrity and
101authenticity. There are different kinds of resources:
102
103- *Authors*, consisting of a unique identifier, public key(s), accounts.
104- *Teams*, sharing the same namespace as authors, containing a set of members.
105- *Authorisation*, one for each package, describing which identities are authorised for the package.
106- *Package index*, for each package, listing all releases.
107- *Release*, for each release, listing checksums of all data files.
108
109Modifications to identities and authorisations need to be approved by a quorum
110of janitors, package index and release files can be modified either by an authorised
111id or by a quorum of janitors."""
112authors: "Hannes Mehnert <hannes@mehnert.org>"
113url {
114 src:
115 "https://github.com/hannesm/conex/releases/download/0.9.2/conex-0.9.2.tbz"
116 checksum: [
117 "sha256=4081f7e860dca2856609d4f22f25c2c23db5944a9925f6ed206ac9422c41115f"
118 "md5=91025ad2e155afad333b2473568c9102"
119 ]
120}