WIP: Tracking for package manager hook to allow public review and maintainance of dotya #10

Open
opened 2020-11-01 11:29:59 +01:00 by kreyren · 6 comments

Dotya is currently using repositories alike https://git.dotya.ml/dotya.ml/bind-configs

This issue is tracking for transfer on management via package manager alike https://git.dotya.ml/kreyren/paludis-config/src/branch/dreamon-x86_64-bedrock-gnu/imgconf

^Example on paludis using custom hook (hooks are injecting code in phases during package processing)

Why?

All systems are vulnerable in relation to human factor combined with monitoring of security issues to handle stable runtime.

Thus transparency will by design highlight issues and will allow the end-users to submit merge requests to package manager configuration that should be cronned and code adapted to run with sanitization.

Dotya is currently using repositories alike https://git.dotya.ml/dotya.ml/bind-configs This issue is tracking for transfer on management via package manager alike https://git.dotya.ml/kreyren/paludis-config/src/branch/dreamon-x86_64-bedrock-gnu/imgconf ^Example on paludis using custom hook (hooks are injecting code in phases during package processing) ### Why? All systems are vulnerable in relation to human factor combined with monitoring of security issues to handle stable runtime. Thus transparency will by design highlight issues and will allow the end-users to submit merge requests to package manager configuration that should be cronned and code adapted to run with sanitization.
wanderer added this to the General project 2020-11-01 16:10:43 +01:00
Owner

alright let's say this is the bind pacman hook at /etc/pacman.d/hooks/ourbind.hook
do you have in mind something specific to put on the Exec line?

[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Path
Target = usr/bin/*
[Action]
Depends = bind
When = PostTransaction
Exec = ???
alright let's say this is the bind pacman hook at `/etc/pacman.d/hooks/ourbind.hook` do you have in mind something specific to put on the `Exec` line? ```sh [Trigger] Operation = Install Operation = Upgrade Operation = Remove Type = Path Target = usr/bin/* [Action] Depends = bind When = PostTransaction Exec = ??? ```
Author

That's not hook.. It should be something that injects in the dowsntream processing.. namely it should:

  1. Copy configuration from e.g. /etc/portage/savedconf/net-dns/bind/etc/named.conf on system update
  2. Generate rndc.key in /etc/bin/secret.rndc-key or use the one from secure directory and set sane permission on it (confidential file).

But i guess pacman is too limited for this looking at https://github.com/archlinux/svntogit-packages/blob/packages/bind/trunk/PKGBUILD

this is more of a gentoo function so that community can apply patches on demand.

So next best thing would be a cron job i think.

That's not hook.. It should be something that injects in the dowsntream processing.. namely it should: 1. Copy configuration from e.g. `/etc/portage/savedconf/net-dns/bind/etc/named.conf` on system update 2. Generate `rndc.key` in `/etc/bin/secret.rndc-key` or use the one from secure directory and set sane permission on it (confidential file). But i guess pacman is too limited for this looking at https://github.com/archlinux/svntogit-packages/blob/packages/bind/trunk/PKGBUILD this is more of a gentoo function so that community can apply patches on demand. So next best thing would be a cron job i think.
Owner

That's not hook.. It should be something that injects in the dowsntream processing.. namely it should:

  1. Copy configuration from e.g. /etc/portage/savedconf/net-dns/bind/etc/named.conf on system update
  2. Generate rndc.key in /etc/bin/secret.rndc-key or use the one from secure directory and set sane permission on it (confidential file).

But i guess pacman is too limited for this looking at https://github.com/archlinux/svntogit-packages/blob/packages/bind/trunk/PKGBUILD

this is more of a gentoo function so that community can apply patches on demand.

this above is a pacman hook..
you have probably have something else in mind under "a package manager hook" than I..

where you're pointing whould basically be our own fork of bind with our great public pathes (PKGBUILDs)

So next best thing would be a cron job i think.

you surely meant systemd timer

> That's not hook.. It should be something that injects in the dowsntream processing.. namely it should: > > 1. Copy configuration from e.g. `/etc/portage/savedconf/net-dns/bind/etc/named.conf` on system update > 2. Generate `rndc.key` in `/etc/bin/secret.rndc-key` or use the one from secure directory and set sane permission on it (confidential file). > > But i guess pacman is too limited for this looking at https://github.com/archlinux/svntogit-packages/blob/packages/bind/trunk/PKGBUILD > > this is more of a gentoo function so that community can apply patches on demand. > this above *is* a `pacman` hook.. you have probably have something else in mind under "a package manager hook" than I.. where you're pointing whould basically be our own fork of bind with our great public pathes (PKGBUILDs) > So next best thing would be a cron job i think. you surely meant `systemd` timer
Author

We were discussing this privately sending this for the record:

you have probably have something else in mind under "a package manager hook" than I..

I want it to build from source that:

  1. allows injecting logic in invidual phases of the build on demand
  2. Copies the bind configuration from gitted package manager directory

This is done so that the service can be peer-reviewed and managed by the community including service-specific patches.


In terms of the limited pacman hook placing the bind directory in /etc/pacman.d/savedconf/net-dns/bind/etc/bind/... and using cp -r from that location to live system should be enough

Optionally add logic to generate the rndc key and domain signing

We were discussing this privately sending this for the record: > you have probably have something else in mind under "a package manager hook" than I.. I want it to build from source that: 1. allows injecting logic in invidual phases of the build on demand 2. Copies the bind configuration from gitted package manager directory This is done so that the service can be peer-reviewed and managed by the community including service-specific patches. --- In terms of the limited pacman hook placing the bind directory in `/etc/pacman.d/savedconf/net-dns/bind/etc/bind/...` and using `cp -r` from that location to live system should be enough Optionally add logic to generate the rndc key and domain signing
Owner

@kreyren

We were discussing this privately sending this for the record:

you have probably have something else in mind under "a package manager hook" than I..

I want it to build from source that:

  1. allows injecting logic in invidual phases of the build on demand
  2. Copies the bind configuration from gitted package manager directory

This is done so that the service can be peer-reviewed and managed by the community including service-specific patches.


In terms of the limited pacman hook placing the bind directory in /etc/pacman.d/savedconf/net-dns/bind/etc/bind/... and using cp -r from that location to live system should be enough

Optionally add logic to generate the rndc key and domain signing

So git + drone + ansible

@kreyren >We were discussing this privately sending this for the record: > >> you have probably have something else in mind under "a package manager hook" than I.. > >I want it to build from source that: >1. allows injecting logic in invidual phases of the build on demand >2. Copies the bind configuration from gitted package manager directory > >This is done so that the service can be peer-reviewed and managed by the community including service-specific patches. > >--- > >In terms of the limited pacman hook placing the bind directory in `/etc/pacman.d/savedconf/net-dns/bind/etc/bind/...` and using `cp -r` from that location to live system should be enough > >Optionally add logic to generate the rndc key and domain signing So git + drone + ansible
Author

my humble opinion would be that ansible sucks but if it works shrug

my humble opinion would be that ansible sucks but if it works *shrug*
Sign in to join this conversation.
No description provided.