From sgk@kolobov.com  Thu Dec 25 05:48:13 2003
Return-Path: <sgk@kolobov.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F157B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Dec 2003 05:48:13 -0800 (PST)
Received: from outpost.globcon.net (outpost.globcon.net [62.141.88.161])
	by mx1.FreeBSD.org (Postfix) with SMTP id 9BBC543D49
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Dec 2003 05:48:10 -0800 (PST)
	(envelope-from sgk@kolobov.com)
Received: (qmail 78910 invoked from network); 25 Dec 2003 13:48:10 -0000
Received: from agdcgw01.akingump.com (HELO kolobov.com) (12.40.174.2)
  by outpost.globcon.net (62.141.88.161) with SMTP; 25 Dec 2003 13:48:10 -0000
Received: (qmail 86817 invoked by uid 911); 25 Dec 2003 13:47:36 -0000
Message-Id: <20031225134736.86816.qmail@kolobov.com>
Date: 25 Dec 2003 13:47:36 -0000
From: Sergei Kolobov <sergei@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         60558
>Category:       ports
>Synopsis:       [PATCH] bsd.port.mk: automatically verify GnuPG signatures
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    portmgr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 25 05:50:16 PST 2003
>Closed-Date:    Sat May 12 02:23:33 UTC 2012
>Last-Modified:  Sat May 12 02:23:33 UTC 2012
>Originator:     Sergei Kolobov <sergei@FreeBSD.org>
>Release:        FreeBSD 5.2-BETA i386
>Organization:
>Environment:
System: FreeBSD elf.chetwood.ru 5.2-BETA FreeBSD 5.2-BETA #0: Wed Dec 3 19:11:41 MSK 2003 sgk@elf.chetwood.ru:/usr/obj/usr/src/sys/ELF i386
>Description:
 Add hooks to automatically verify GnuPG signatures.
 
 Example usage:
 
 1. Simple (the most common) case, assuming all defaults:
 PORTNAME=	libgcrypt
 PORTVERSION=	1.1.43
 [...]
 USE_GPG=	yes
 [...]
 
 This adds libgcrypt-1.1.43.tar.gz.sig to the list of files to fetch,
 checks MD5 checksum of the signature, and then verify GnuPG signature
 in "checksum" target:
 
 sgk@elf% make checksum
 >> Checksum OK for libgcrypt-1.1.43.tar.gz.
 >> Checksum OK for libgcrypt-1.1.43.tar.gz.sig.
 ===> Verifying GnuPG signature for libgcrypt-1.1.43.tar.gz
 gpg: Signature made Thu Sep  4 14:48:49 2003 MSD using DSA key ID 57548DCD
 gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD
 sgk@elf% 
 
 The public key will be automatically fetched from a keyserver if not found on
 user's keyring.
 
 NOTE: the patch does NOT add an automatic dependency on security/gnupg,
 rather, if no gpg is found, it displays a warning message saying 
 that it could not verify signatures.
 
 2. Use alternate suffix for signatures:
 
 [...]
 USE_GPG=	yes
 SIG_SUFFIX=	.asc
 [...]
 
 3. Port has 2 distfiles, but only 1 has a signature.
 The solution: override either SIGNED_FILES or SIG_FILES:
 
 a. Overriding SIGNED_FILES:
 
 DISTFILES=	file1.tar.gz file2.tar.gz
 [...]
 USE_GPG=	yes
 SIGNED_FILES=	file1.tar.gz
 [...]
 
 b. Overriding SIG_FILES:
 
 DISTFILES=	file1.tar.gz file2.tar.gz
 [...]
 USE_GPG=	yes
 SIG_FILES=	file1.tar.gz.asc
 [...]
>How-To-Repeat:
>Fix:
--- gpg-sig.patch begins here ---
Index: bsd.port.mk
===================================================================
RCS file: /FreeBSD/cvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.474
diff -u -r1.474 bsd.port.mk
--- bsd.port.mk	24 Nov 2003 01:08:41 -0000	1.474
+++ bsd.port.mk	25 Dec 2003 13:24:28 -0000
@@ -305,6 +305,24 @@
 #				  CPPFLAGS and LDFLAGS in CONFIGURE_ENV.
 #				  Default: not set.
 ##
+# USE_GPG		- Says that the port has files with detached GnuPG
+# 				  signatures. Automatically adds files with SIG_SUFFIX
+# 				  to the list of files to be fetched.
+# 				  Signature verification is done in checksum target.
+# SIGNED_FILES	- List of files that are signed (have detached signatures)
+# 				  (default: ${DISTFILES})
+# SIG_FILES		- List of signature files. Unless overridden, include
+#				  all files from SIGNED_FILES, each with SIG_SUFFIX added.
+# SIG_SUFFIX	- Suffix of detached signature file name - e.g. .sig or .asc
+# 				  (default: ".sig")
+# GPG			- Set to path of GnuPG binary (default: ${LOCALBASE}/bin/gpg)
+# GPG_FLAGS		- Parameters to pass to GnuPG when verifying a signature
+# 				  (default: "--verify --keyserver ${KEYSERVER} \
+#				  --keyserver-options auto-key-retrieve")
+# KEYSERVER		- Host name of PGP/GPG keyserver to use for fetching
+# 				  public keys not found in your current keyring
+# 				  (default: pgp.mit.edu)
+##
 # USE_PERL5		- Says that the port uses perl5 for building and running.
 # USE_PERL5_BUILD	- Says that the port uses perl5 for building.
 # USE_PERL5_RUN		- Says that the port uses perl5 for running.
@@ -1053,6 +1071,13 @@
 RUN_DEPENDS+=	${APXS}:${PORTSDIR}/${APACHE_PORT}
 .endif
 
+.if defined(USE_GPG)
+GPG?=		${LOCALBASE}/bin/gpg
+GPG_FLAGS?=	--verify --keyserver ${KEYSERVER} \
+			--keyserver-options auto-key-retrieve
+KEYSERVER?=	pgp.mit.edu
+.endif
+
 .if !defined(PERL_LEVEL) && defined(PERL_VERSION)
 perl_major=		${PERL_VERSION:C|^([1-9]+).*|\1|}
 _perl_minor=	00${PERL_VERSION:C|^([1-9]+)\.([0-9]+).*|\2|}
@@ -2234,7 +2259,16 @@
 .endfor
 _G_TEMP=
 _G_TEMP_TEMP=
-ALLFILES?=	${_DISTFILES} ${_PATCHFILES}
+.if defined(USE_GPG)
+SIGNED_FILES?=	${_DISTFILES}
+SIG_SUFFIX?=	.sig
+.if !defined(SIG_FILES)
+.for __FILE in ${SIGNED_FILES}
+SIG_FILES+=	${__FILE}${SIG_SUFFIX}
+.endfor
+.endif
+.endif
+ALLFILES?=	${_DISTFILES} ${_PATCHFILES} ${SIG_FILES}
 
 #
 # Sort the master site list according to the patterns in MASTER_SORT
@@ -2812,7 +2846,7 @@
 	@${MKDIR} ${_DISTDIR}
 	@(cd ${_DISTDIR}; \
 	 ${_MASTER_SITES_ENV} ; \
-	 for _file in ${DISTFILES}; do \
+	 for _file in ${DISTFILES} ${SIG_FILES}; do \
 		file=`echo $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \
 		select=`echo $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \
 		force_fetch=false; \
@@ -3905,6 +3939,16 @@
 			  exit 1; \
 		  fi); \
 	fi
+.if defined(USE_GPG)
+.if exists(${GPG})
+.for __SIG in ${SIG_FILES}
+	@${ECHO_MSG} "===> Verifying GnuPG signature for ${__SIG:S/${SIG_SUFFIX}//}"
+	@${GPG} ${GPG_FLAGS} ${DISTDIR}/${__SIG}
+.endfor
+.else
+	@${ECHO_MSG} "===> GnuPG not installed. Signature(s) cannot be verified"
+.endif
+.endif
 .endif
 
 ################################################################
--- gpg-sig.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->portmgr 
Responsible-Changed-By: sergei 
Responsible-Changed-When: Thu Dec 25 06:18:14 PST 2003 
Responsible-Changed-Why:  
Over to portmgr@. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60558 

From: Tilman Linneweh <arved@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, sergei@FreeBSD.org
Cc: arved@FreeBSD.org
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Sat, 17 Jan 2004 13:38:00 +0100

 Hello Sergei,
 
 I just got pointed to this PR. This is a cool feature I have wanted for 
 some time.
 
 As you have probably noticed, I have used a similar handgrown gpg sig 
 verifing stuff in some of my ports (irc/bitchx, security/libgcrypt 
 security/libksba) for the last half year.
 
 My expierience:
 - Some people complained that a keyring file in /root/.gnupg is created 
 during installing software.
 - Attention, If people use sudo to install ports, gnupg chown's the 
 users keyring to root, which makes it unusable for the user calling 
 sudo.
 
 My point is, that the keys fetched while installing from ports 
 shouldn't be stored in the default keyring.
 My solution was to store the keyring in WRKDIR, But a central place for 
 keys used to verify software may be okay too.
 
 regards
 tilman
 
State-Changed-From-To: open->feedback 
State-Changed-By: marcus 
State-Changed-When: Fri Jan 30 23:22:47 PST 2004 
State-Changed-Why:  
It looks like there may be some issues with this approach based on arved's 
comments.  Can you look into that, and update the patch if necessary?  Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60558 

From: Doug Barton <DougB@FreeBSD.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: ports/60558 [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Mon, 16 Feb 2004 12:38:25 -0800 (PST)

 I also like this idea, but I'm troubled by the automatic key retrieval.
 I think at minimum there should be a knob to turn it on or off. I like
 the idea of fetching keys into WRKSRC as well. I guess in an ideal
 world, you could check the user's default keyring first to see if the
 key exists, then fetch it unless they've set the "don't fetch
 automatically" knob.
 
 Doug
 
 -- 
 
     This .signature sanitized for your protection
 

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: freebsd-gnats-submit@FreeBSD.org, sergei@FreeBSD.org
Cc:  
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG
 signatures
Date: Wed, 25 Feb 2004 15:30:58 +0100

 Some random thoughts:
 
 - it would be nice to fetch the signature only if it would be used
 
 - we may use other engines that GPG, so USE_PGP seems more appropriate
   (or USE_OPENPGP, since this is the name of the respective standard)
 
 - would it be better to add the distributors public key to distfile or
   something, optionally replacing the MD5SUM?
 
 I'm not exactly sure what additional security should be gained by just
 accepting any matching key from a keyserver, though. You need a trust
 anchor for that, probably the distributors key signed by a FreeBSD
 committer, a common pool of signatures or manual verification. Otherwise
 people will believe that they get increased security by verifying a pgp
 signature instead of just verifying a downloaded checksum.
 
 If on the other hand this patch is targetd at experienced users who have
 the public PGP keys of ports they update often in their keyring, there
 should be an other way to detect this than just looking if gpg is installed.
 
 Generally I consider cryptographic integrity verification a good idea, and
 since there are a lot of distributions which are PGP signed by their
 author this is a step in the right direction.
 
 -Oliver

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: freebsd-gnats-submit@FreeBSD.org, sergei@FreeBSD.org
Cc:  
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG
 signatures
Date: Sun, 29 Feb 2004 21:41:38 +0100

 Another way to enable PGP signature verification would be to assume
 that advanced users have verified the authors public key manually
 and added it to the keyring, so that you can use a variable like
 HAS_PGP_SIGNATURE and verify the PGP signature iff WANT_PGP_VERIFICATION
 is set. This would help committers to verify that updated distfiles are
 authentic, since they can't rely on a third party creating distinfo,
 and some sites only provide PGP signatures and no md5 checksums.
 
 

From: Lapo Luchini <lapo@lapo.it>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG
 signatures
Date: Thu, 18 Mar 2004 11:43:34 +0100

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 I think keys should never be "dynamically fetched from keyservers",
 actually: distributing public key "via distfile or something" seems
 more security-savvy to me, as it relies on a system we already have to
 rely upon (our cvsup), and nothing external (they can be down, they
 can be compromised, and we don't have control over them).
 Of course each of these signing keys would be untrusted but, at least
 using "sudo", the user public keyring & trustdb could be used to
 validate that (in the hypotesis that if the user knows something about
 that key, he already did reflect that in their keyring/trustdb).
 
 As GPG vs PGP I think supporting both is not worth the hassle: the
 first is opensource and they've gto different trustdb issues, I think
 (well, I'm not even sure how PGP saves his trust, so I better be hush
 in this regard).
 
 Lapo Luchini
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (Cygwin)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iEYEARECAAYFAkBZfVYACgkQaJiCLMjyUvvsQwCePz+Y/hFYEosizp3Nomk/sN9r
 0vwAoLeUiHZzT9/JTk25lo2FWpqZhqDJ
 =vMT9
 -----END PGP SIGNATURE-----
 

From: Sergei Kolobov <sergei@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org,
	Jason Harris <jharris@widomaker.com>
Cc: Jason Harris <jharris@widomaker.com>,
	Tilman Linneweh <arved@FreeBSD.org>,
	Oliver Eikemeier <eik@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 09:41:01 +0400

 On 2004-01-17 at 13:38 +0100, Tilman Linneweh wrote:
 > My expierience:
 > - Some people complained that a keyring file in /root/.gnupg is created 
 > during installing software.
 > - Attention, If people use sudo to install ports, gnupg chown's the 
 > users keyring to root, which makes it unusable for the user calling 
 > sudo.
 > 
 > My point is, that the keys fetched while installing from ports 
 > shouldn't be stored in the default keyring.
 > My solution was to store the keyring in WRKDIR, But a central place for 
 > keys used to verify software may be okay too.
 
 I have updated the patch to address concerns voiced by arved and others.
 
 Summary of changes:
 - added overridable GPG_DIR knob that specifies a central location as GnuPG
   config dir *for ports infrastucture purposes (defaults to ${PORT_DBDIR}/.gnupg) 
   thus it leaves user's own ~/.gnupg dir untouched; 
   since GPG wants this dir mode 0700 it assumes signature verification 
   is done under root. You can also just change ownership of that dir 
   to allow non-root account to check GPG sigs, too.
 - several options have been added to the resulting GPG command line
   that cannot be overriden:
   --batch: to prevent GPG from asking for user's input
   --no-options: to prevent reading gpg.conf from GPG_DIR - this creates 
 		a consistent and reproducible enviroment;
 		GPG behavior should be completely controlled by ports
 		infrastructure;
   --no-secmem-warning: to get rid of warning which harmless in this case
 		(we only verify signatures, but not *encrypting* anything)
   --no-permission-warning: to disable permission warning in situations when
 		owner of GPG_DIR is non-root, but you run 'make checksum'
 		as root
 - detached signatures are fetched only if USE_GPG is defined *AND* GPG binary
   actually exists (thanks, Oliver!)
 - changed default keyserver to subkeys.pgp.net
 - changed default SIG_SUFFIX to .asc - hi, Jason! ;)
 - changed comment for GPG_FLAGS knob - it can be overriden to completely disable
   automatic key fetching
 
 Some random ideas for discussion:
 - should we set up our own keyserver for this purpose?
 - perhaps we can store actual public key files somewhere in the ports tree?
   e.g ${PORTSDIR}/Signatures or something similar
 - perhaps each invidual ports should set GPG_KEYID in its Makefile to 
   prevent situations where you fetch wrong key from the keyserver
 
 Sergei
 
 
 Index: bsd.port.mk
 ===================================================================
 RCS file: /FreeBSD/cvs/ports/Mk/bsd.port.mk,v
 retrieving revision 1.497
 diff -u -r1.497 bsd.port.mk
 --- bsd.port.mk	3 Aug 2004 19:03:58 -0000	1.497
 +++ bsd.port.mk	19 Aug 2004 05:23:32 -0000
 @@ -208,6 +208,28 @@
  # USE_ICONV		- Says that the port uses libiconv.
  # USE_GETTEXT		- Says that the port uses GNU gettext (libintl).
  ##
 +# USE_GPG		- Says that the port uses automatic GPG signature verification.
 +#				  Adds files in ${SIG_FILES} list to the list of files to be fetched.
 +#				  Signature verification is done in checksum target.
 +# GPG			- Set to path of GnuPG binary (default: ${LOCALBASE}/bin/gpg)
 +# GPG_DIR		- Set to path of directory where GnuPG public key ring is stored.
 +#				  (default: ${PORT_DBDIR}/.gnupg)
 +#				  If you want to allow GPG signature verification for non-root account,
 +#				  change ownership of this directory (it is created with mode 0700).
 +# GPG_FLAGS		- Parameters to pass to GnuPG when verifying a signature
 +#				  (default: "--keyserver ${KEYSERVER} \
 +#				  --keyserver-options auto-key-retrieve,honor-http-proxy")
 +#				  You can override this to disable automatic key fetching, for example.
 +# GPG_KEYSERVER	- Host name of PGP/GPG keyserver to use for fetching
 +#				  public keys not found in your current keyring
 +#				  (default: subkeys.pgp.net)
 +# SIGNED_FILES	- List of files that are signed (have detached signatures)
 +#				  (default: ${DISTFILES})
 +# SIG_FILES		- List of signature files. Unless overridden, include
 +#				  all files from SIGNED_FILES, each with SIG_SUFFIX added.
 +# SIG_SUFFIX	- Suffix of detached signature file name - e.g. .sig or .asc
 +#				  (default: ".asc")
 +##
  # USE_PERL5		- Says that the port uses perl5 in one or more of the extract,
  #                         patch, build, install or run phases.
  # USE_PERL5_BUILD	- Says that the port uses perl5 in one or more of the extract,
 @@ -1090,6 +1112,14 @@
  .endif
  .endif
  
 +.if defined(USE_GPG)
 +GPG?=			${LOCALBASE}/bin/gpg
 +GPG_DIR?=		${PORT_DBDIR}/.gnupg
 +GPG_FLAGS?=		--keyserver ${GPG_KEYSERVER} \
 +				--keyserver-options auto-key-retrieve,honor-http-proxy
 +GPG_KEYSERVER?=	subkeys.pgp.net
 +.endif
 +
  .if !defined(PERL_LEVEL) && defined(PERL_VERSION)
  perl_major=		${PERL_VERSION:C|^([1-9]+).*|\1|}
  _perl_minor=	00${PERL_VERSION:C|^([1-9]+)\.([0-9]+).*|\2|}
 @@ -2194,6 +2224,16 @@
  _G_TEMP=
  _G_TEMP_TEMP=
  ALLFILES?=	${_DISTFILES} ${_PATCHFILES}
 +.if defined(USE_GPG) && exists(${GPG})
 +SIGNED_FILES?=	${_DISTFILES}
 +SIG_SUFFIX?=	.asc
 +.if !defined(SIG_FILES)
 +.for __FILE in ${SIGNED_FILES}
 +SIG_FILES+=	${__FILE}${SIG_SUFFIX}
 +.endfor
 +.endif
 +ALLFILES+=	${SIG_FILES}
 +.endif
  
  #
  # Sort the master site list according to the patterns in MASTER_SORT
 @@ -2877,7 +2917,7 @@
  	@${MKDIR} ${_DISTDIR}
  	@(cd ${_DISTDIR}; \
  	 ${_MASTER_SITES_ENV} ; \
 -	 for _file in ${DISTFILES}; do \
 +	 for _file in ${DISTFILES} ${SIG_FILES}; do \
  		file=`${ECHO_CMD} $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \
  		select=`${ECHO_CMD} $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \
  		force_fetch=false; \
 @@ -3846,7 +3886,7 @@
  	@${MKDIR} ${_DISTDIR}
  	@(cd ${_DISTDIR}; \
  	 ${_MASTER_SITES_ENV} ; \
 -	 for _file in ${DISTFILES}; do \
 +	 for _file in ${DISTFILES} ${SIG_FILES}; do \
  		file=`${ECHO_CMD} $$_file | ${SED} -E -e 's/:[^:]+$$//'` ; \
  		select=`${ECHO_CMD} $${_file#$${file}} | ${SED} -e 's/^://' -e 's/,/ /g'` ; \
  		if [ ! -f $$file -a ! -f `${BASENAME} $$file` ]; then \
 @@ -4010,6 +4050,24 @@
  	elif [ -n "${_CKSUMFILES:M*}" ]; then \
  		${ECHO_MSG} ">> No checksum file (${MD5_FILE})."; \
  	fi
 +.if defined(USE_GPG)
 +.if !exists(${GPG})
 +	@${ECHO_MSG} "===> GPG not found - signature(s) cannot be verified"
 +.else
 +	@[ -e ${GPG_DIR} ] || ${MKDIR} -m 700 ${GPG_DIR} || \
 +		(${ECHO_MSG} "===> Cannot create GPG configuration directory ${GPG_DIR}"; exit 1)
 +	@[ ${UID} -eq 0 -o -O ${GPG_DIR} ] || \
 +		(${ECHO_MSG} "===> WARNING: Improper ownership of GPG configuration directory ${GPG_DIR}"; \
 +		${ECHO_MSG} "===>          GPG signature verification may fail"; \
 +		${ECHO_MSG} "===>          Change ownership or run this command as root")
 +.for __SIG in ${SIG_FILES}
 +	@${ECHO_MSG} "===> Verifying GPG signature for ${__SIG:S/${SIG_SUFFIX}//}"
 +	-@${GPG} --homedir ${PORT_DBDIR}/.gnupg --no-options --batch --verify \
 +		--no-secmem-warning --no-permission-warning ${GPG_FLAGS} \
 +		${DISTDIR}/${__SIG} ${DISTDIR}/${__SIG:S/${SIG_SUFFIX}//}
 +.endfor
 +.endif
 +.endif
  .endif
  
  ################################################################

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Sergei Kolobov <sergei@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org,
	Jason Harris <jharris@widomaker.com>,
	Tilman Linneweh <arved@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 09:26:58 +0200

 Sergei Kolobov wrote:
 
 > I have updated the patch to address concerns voiced by arved and others.
 
 Sergei, first i want to thank you for your continued effort to bring PGP 
 signature verification to FreeBSD.
 
 I had some thoughts about this issue, and hope I can summarize some of 
 them now.
 
 - GPG signatures are not more secure that message digests, since they 
 are used in verifying the signature. When a digest is broken, it is 
 highly likely that the signature can be broken too. In fact they are 
 less secure, since you have even more attack points. Note that it is 
 easy to trojan the ports collection when you don't trust the CVSup chain 
 (and effectively distinfo).
 
 Sidenote: I do not have to state in public what I think about the 
 cryptographic expertise of maintainers verifying message digests of 
 signatures, do I?
 
 Therefore it has to be evaluated where it makes sense to use GPG 
 signatures to verify distfiles. There are only three scenarios when the 
 message digest of a distfile is not known:
 
 - The distfile is rerolled
 
 - The distfile changes periodically
 
 - The ports maintainer has to generate the distinfo file
 
 In the first case the issue should be investigated by the maintainer, 
 and the second has no relevance for the FreeBSD ports tree. Therefore we 
 should concentrate on the third case.
 
 Another point supporting this is that GPG signature verification makes 
 only sense when you have a direct trust path to the developers. I expect 
 very few people to actually have this, and mostly these are maintainers 
 of the ports. Blindly importing unknown signatures will effectivley 
 poison your keyring with potentially bad signatures.
 
 Which brings me to the point that PGP signature verification has to be 
 examined manually every time. I don't want to accept a samba binary 
 signed by an apache developer, or worse, some unknown sourceforge 
 project developer. I have to make sure that the signature is not only 
 valid, but belongs to the right persons. Which requires knowledge and 
 human intervention.
 
 The last issue is how to deal with the issue when only parts of the 
 distribution are signed, eg. the main distfile, but not the patches.
 
 Therefore I suggest making PGP signature verification a maintainer-only 
 target (like makesum is), requiring manual confirmation of the 
 signatures and listing unsigned distfiles. This means that users should 
 not download the signatures of the distfiles when they do not use the 
 said target to verify them.
 
 Thanks again for your work on this issue
 -Oliver
 

From: Jason Harris <jharris@widomaker.com>
To: Sergei Kolobov <sergei@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>,
	Oliver Eikemeier <eik@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>, Jason Harris <jharris@widomaker.com>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 12:37:48 -0400

 --Q0sTdIfP/s7CH38O
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 19, 2004 at 09:41:01AM +0400, Sergei Kolobov wrote:
 =20
 >   --no-options: to prevent reading gpg.conf from GPG_DIR - this creates=
 =20
 > 		a consistent and reproducible enviroment;
 > 		GPG behavior should be completely controlled by ports
 > 		infrastructure;
 
 What is the harm in letting options be set permanently by the owner
 of $GPG_DIR?
 
 > - detached signatures are fetched only if USE_GPG is defined *AND* GPG bi=
 nary
 >   actually exists (thanks, Oliver!)
 
 Again, the signatures need to be available in distfile caches, just like
 the distfiles they sign, so their download should _NOT_ be conditional.
 
 > Some random ideas for discussion:
 
 > - perhaps each invidual ports should set GPG_KEYID in its Makefile to=20
 >   prevent situations where you fetch wrong key from the keyserver
 
 No.  The MD5 hash (in ./distinfo) of the detached signature makes sure
 the signature hasn't been substituted/trojaned.  If the distfile and
 detached signature match ./distinfo, downloading the wrong key will
 result in a failed PGP signature check.  KISS.
 
 --=20
 Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
 jharris@widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
           Got photons?   (TM), (C) 2004
 
 --Q0sTdIfP/s7CH38O
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBJNdbSypIl9OdoOMRAvmDAJ9YsctpLpAscBIj69vKcHZgmr3pwgCguNuk
 pSc/67MTI5jnaVX5nqlyErc=
 =mrsd
 -----END PGP SIGNATURE-----
 
 --Q0sTdIfP/s7CH38O--

From: Jason Harris <jharris@widomaker.com>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>, Jason Harris <jharris@widomaker.com>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 14:07:30 -0400

 --SK3XQJ7YwHDQqAUa
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 19, 2004 at 09:26:58AM +0200, Oliver Eikemeier wrote:
 
 > I had some thoughts about this issue, and hope I can summarize some of=20
 > them now.
 
 These are not new...
 
 > - GPG signatures are not more secure that message digests, since they=20
 > are used in verifying the signature. When a digest is broken, it is=20
 > highly likely that the signature can be broken too. In fact they are=20
 > less secure, since you have even more attack points. Note that it is=20
 > easy to trojan the ports collection when you don't trust the CVSup chain=
 =20
 > (and effectively distinfo).
 
 =2E..but unfortunately, they continue to be irrelevant.  Everybody knows we
 have to continue to trust the CVS/CVSup distribution system at this time.
 
 > Sidenote: I do not have to state in public what I think about the=20
 > cryptographic expertise of maintainers verifying message digests of=20
 > signatures, do I?
 
 No, which is precisely why each person installing a port should be given
 the opportunity to see the PGP signature check performed again.
 
 > Another point supporting this is that GPG signature verification makes=20
 > only sense when you have a direct trust path to the developers. I expect=
 =20
 
 Incorrect.  When a valid, untrojaned distfile is PGP-signed, this begins
 to build trust in the key that signed it.
 
 > very few people to actually have this, and mostly these are maintainers=
 =20
 > of the ports.
 
 If a port maintainer has "a direct trust path to the developers," you
 shouldn't be so untrusting of that maintainer's "cryptographic expertise."
 But, why blindly trust a maintainer's "cryptographic expertise" and trust
 path to a signing key, in addition to their skills in checking the distfiles
 for trojans, when you can check your own trust path to a signing key, do
 your own cryptographic check, and apply your own "cryptographic expertise"
 before installing a port?
 
 > Which brings me to the point that PGP signature verification has to be=20
 > examined manually every time. I don't want to accept a samba binary=20
 
 Then why are you arguing against doing PGP signature checks in the
 FreeBSD ports tree at all, and also arguing that they should be done
 by maintainers only?  This is precisely why the checks should be done
 as part of the "make checksum" process, so that every person, some with
 their own "direct trust path[s]" to a port's signing key(s), can make
 sure each PGP signature is trustworthy to their own satisfaction.
 (Don't forget, anyone who doesn't want to see the PGP signature checks
 performed can disable them.)
 
 > signed by an apache developer, or worse, some unknown sourceforge=20
 > project developer. I have to make sure that the signature is not only=20
 > valid, but belongs to the right persons. Which requires knowledge and=20
 > human intervention.
 
 This is first done by the maintainer, who must update the MD5 hash
 of each detached signature in ./distinfo and should check the
 signatures to make sure the same signing key made them all.  If
 a different signing key was used, the maintainer should summarize
 why the change is valid, just like with distfile rerolls.
 The FreeBSD ports committer should double-check the PGP signatures
 as part of the "make checksum" process.  If the committer has their
 own trust path to or other knowledge of the signing key(s), this
 supplements the maintainer's trust in the key(s).  Finally, anyone
 who installs the port with the PGP signature checks enabled will
 be able to double-check the maintainer's and committer's work.
 
 > The last issue is how to deal with the issue when only parts of the=20
 > distribution are signed, eg. the main distfile, but not the patches.
 
 This is a non-issue.  All files must match the MD5 hashes in ./distinfo,
 must be approved by the maintainer, and must be allowed by the committer.
 PGP signatures, when available, _supplement_ the existing system.
 
 > Therefore I suggest making PGP signature verification a maintainer-only=
 =20
 > target (like makesum is), requiring manual confirmation of the=20
 > signatures and listing unsigned distfiles. This means that users should=
 =20
 > not download the signatures of the distfiles when they do not use the=20
 > said target to verify them.
 
 (Reiterating:  this is circular and self-contradictory; you're advocating
 trusting the maintainers whose "cryptographic expertise" you don't trust.)
 
 --=20
 Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
 jharris@widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
           Got photons?   (TM), (C) 2004
 
 --SK3XQJ7YwHDQqAUa
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBJOxhSypIl9OdoOMRArXOAJ9Yh6Imm23DaBnhtFTi720jhx8cMgCgmbaa
 aihE0bPsfkmK1sPTg+GaJLs=
 =Sf1n
 -----END PGP SIGNATURE-----
 
 --SK3XQJ7YwHDQqAUa--

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Jason Harris <jharris@widomaker.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 21:04:49 +0200

 Jason,
 
 you failed to adress to point how verifying PGP signatures would improve 
 security for the average user. Maintainers could call `make 
 checksignature', and every user who is interested could do the same. I 
 think this kind of signature checking is useful, and provides a shortcut 
 for maintainers to verify the authenticity of the distfile. Yet it 
 requires human interaction, to verify that it is signed by a developer 
 of the project in question, and not of a developer of another, unrelated 
 project.
 
 The same is true for `building trust by continuance'. You have to 
 remember that this is the same key the previous version distfile has 
 been signed with, and verify this fact manually.
 
 So, while I like to see PGP signature checking of distfiles, it should 
 be restricted to be done on request. It is especially meaningless for a 
 port to fail to build just because the signing key has expired, and the 
 distfile has been re-signed (without changing it's digest value).
 
 If you like, you can run `make checksignature' as often as you want, but 
 it makes no sense for the average users. FWIIW, we could implement a 
 user-settable DO_PGPCHECK flag (that you can set in make.conf(5), but 
 not in a ports Makefile), that does the check on all distfiles possible. 
 Even then I would suggest to verify manually that the signature is done 
 by a developer of the project in question, and not some random developer 
 in your keyring.
 
 Btw, talking about cryptographic expertise, could you just summarize the 
 reasons for recording message digests for misc/less, especially 
 cryptographic ones?
 
 -Oliver
 

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: Jason Harris <jharris@widomaker.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Lapo Luchini <lapo@lapo.it>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 22:16:50 +0200

 Jason Harris wrote:
 
 > No.  The MD5 hash (in ./distinfo) of the detached signature makes sure
 > the signature hasn't been substituted/trojaned.
 
 What is a trojaned signature? And what is the problem of a substitued 
 signature (eg. new vendor key when the old one has expired) when the 
 distfile has a correct message digest?
 -Oliver
 

From: Jason Harris <jharris@widomaker.com>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Lapo Luchini <lapo@lapo.it>,
	Jason Harris <jharris@widomaker.com>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 18:05:45 -0400

 --o/5bRgZV0wyYOw0X
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 19, 2004 at 10:16:50PM +0200, Oliver Eikemeier wrote:
 > Jason Harris wrote:
 >=20
 > >No.  The MD5 hash (in ./distinfo) of the detached signature makes sure
 > >the signature hasn't been substituted/trojaned.
 >=20
 > What is a trojaned signature? And what is the problem of a substitued=20
 > signature (eg. new vendor key when the old one has expired) when the=20
 > distfile has a correct message digest?
 
 A trojaned signature is a good signature on a trojaned tarball.
 By definition, it is made by a key the attacker controls.
 
 Signatures made by expired keys, as long as they were created
 (and known to exist) before the key expired can still be used.
 Signatures made after a key has expired, should a port maintainer wish
 to use them, should be confirmed with the keyholder and noted in the PR.
 (Expired (v4) keys are unexpired with new selfsigs, which should be sent
 to keyservers for maximum visibility.)
 
 Signatures with expiration times (subpacket 3) may be used by software
 authors to specify a shelf-life for their distfiles.  As long as time-
 limited signatures were created (and known to exist) by an unexpired key,
 they can still be used.
 
 If multiple signatures are available for a distfile, this can mean
 several things.  A newer signature by the same key that issued the
 "first" signature probably means the author lost the original signature.
 (This should be confirmed with the author, who should confirm they
 re-signed a trusted copy of the distfile.  If the original detached
 signature is available in a FreeBSD distfile cache, for example, a copy
 should be given to the author.)  If the signature is from my key on
 something I didn't (at least help) create:
 
   http://keyserver.kjsl.com/~jharris/distfiles/granulate-0.2.tar.gz.asc
 
 it is likely because I mirrored a distfile that the author didn't sign.
 (Others can do this too, so the maintainer must decide which, if any,
 PGP signature is more trustworthy, is worth checking, etc.)  If the
 signature is from a new key that the author claims to own, the
 maintainer should verify the new fingerprint out-of-band and note the
 disposition of the old (lost/expired/stolen/revoked/abandoned) key
 in the PR.
 
 --=20
 Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
 jharris@widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
           Got photons?   (TM), (C) 2004
 
 --o/5bRgZV0wyYOw0X
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBJSQ5SypIl9OdoOMRAudnAKCvWU/V0O9e24xrRgkSYulvE3eYzQCcCQfK
 z6MNIEiceWCL6FWFRrSbE/g=
 =8mc9
 -----END PGP SIGNATURE-----
 
 --o/5bRgZV0wyYOw0X--

From: Jason Harris <jharris@widomaker.com>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>, Jason Harris <jharris@widomaker.com>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 19:21:45 -0400

 --558Yx5rFDbjgUFeU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 19, 2004 at 09:04:49PM +0200, Oliver Eikemeier wrote:
 
 > So, while I like to see PGP signature checking of distfiles, it should=20
 > be restricted to be done on request. It is especially meaningless for a=
 =20
 > port to fail to build just because the signing key has expired, and the=
 =20
 > distfile has been re-signed (without changing it's digest value).
 
 Remember, anyone who doesn't wish to do the checks can disable USE_GPG,
 should it be enabled by default.
 
 Also, Sergei's patch, combined with the design of GPG, keeps the signature
 checks limited to advisory status only.  (Only by parsing GPG's output can
 the fingerprint and expiration be checked programatically.  Doing this,
 however, would overcomplicate the system.  It would also weaken it, IMO,
 by de-emphasizing the need to check for revoked keys and by substituting
 the recorded fingerprint for one's own Web of Trust checks.)
 
 > Even then I would suggest to verify manually that the signature is done=
 =20
 > by a developer of the project in question, and not some random developer=
 =20
 > in your keyring.
 
 If the key of a random developer in your keyring is stolen, does it
 really matter if it signs a trojaned copy of OpenSSL or of emacs?
 If you install a trojaned emacs as a binary package or disable USE_GPG
 and build it from a trojaned tarball, aren't you still trojaned?
 Checking PGP signatures _supplements_ the checks already done when
 a distfile is accepted into the FreeBSD ports system.  We are all
 still highly dependent on the work of the ports maintainers and
 committers, but by viewing the PGP signature checks as we build
 a port, we can use our own experience and Web of Trust to double-
 check (at least some of) their work.
 =20
 > Btw, talking about cryptographic expertise, could you just summarize the=
 =20
 > reasons for recording message digests for misc/less, especially=20
 > cryptographic ones?
 
 The additional (SHA1, RMD160, and SHA256) hashes?  How timely you should
 ask:
 
   http://www.imc.org/ietf-openpgp/mail-archive/msg07009.html
 
 --=20
 Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
 jharris@widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
           Got photons?   (TM), (C) 2004
 
 --558Yx5rFDbjgUFeU
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBJTYISypIl9OdoOMRAov7AKDJGh9I8uWlsx63qgbrd77oX9aLiwCgvpJa
 2q3uFwVy8khxQz0zLUgp7oM=
 =EeGp
 -----END PGP SIGNATURE-----
 
 --558Yx5rFDbjgUFeU--

From: Jason Harris <jharris@widomaker.com>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc: Sergei Kolobov <sergei@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org,
	Tilman Linneweh <arved@FreeBSD.org>, Doug Barton <DougB@FreeBSD.org>,
	Lapo Luchini <lapo@lapo.it>, Jason Harris <jharris@widomaker.com>
Subject: Re: ports/60558: [PATCH] bsd.port.mk: automatically verify GnuPG signatures
Date: Thu, 19 Aug 2004 19:21:45 -0400

 --558Yx5rFDbjgUFeU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 19, 2004 at 09:04:49PM +0200, Oliver Eikemeier wrote:
 
 > So, while I like to see PGP signature checking of distfiles, it should=20
 > be restricted to be done on request. It is especially meaningless for a=
 =20
 > port to fail to build just because the signing key has expired, and the=
 =20
 > distfile has been re-signed (without changing it's digest value).
 
 Remember, anyone who doesn't wish to do the checks can disable USE_GPG,
 should it be enabled by default.
 
 Also, Sergei's patch, combined with the design of GPG, keeps the signature
 checks limited to advisory status only.  (Only by parsing GPG's output can
 the fingerprint and expiration be checked programatically.  Doing this,
 however, would overcomplicate the system.  It would also weaken it, IMO,
 by de-emphasizing the need to check for revoked keys and by substituting
 the recorded fingerprint for one's own Web of Trust checks.)
 
 > Even then I would suggest to verify manually that the signature is done=
 =20
 > by a developer of the project in question, and not some random developer=
 =20
 > in your keyring.
 
 If the key of a random developer in your keyring is stolen, does it
 really matter if it signs a trojaned copy of OpenSSL or of emacs?
 If you install a trojaned emacs as a binary package or disable USE_GPG
 and build it from a trojaned tarball, aren't you still trojaned?
 Checking PGP signatures _supplements_ the checks already done when
 a distfile is accepted into the FreeBSD ports system.  We are all
 still highly dependent on the work of the ports maintainers and
 committers, but by viewing the PGP signature checks as we build
 a port, we can use our own experience and Web of Trust to double-
 check (at least some of) their work.
 =20
 > Btw, talking about cryptographic expertise, could you just summarize the=
 =20
 > reasons for recording message digests for misc/less, especially=20
 > cryptographic ones?
 
 The additional (SHA1, RMD160, and SHA256) hashes?  How timely you should
 ask:
 
   http://www.imc.org/ietf-openpgp/mail-archive/msg07009.html
 
 --=20
 Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
 jharris@widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
           Got photons?   (TM), (C) 2004
 
 --558Yx5rFDbjgUFeU
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.5 (FreeBSD)
 
 iD8DBQFBJTYISypIl9OdoOMRAov7AKDJGh9I8uWlsx63qgbrd77oX9aLiwCgvpJa
 2q3uFwVy8khxQz0zLUgp7oM=
 =EeGp
 -----END PGP SIGNATURE-----
 
 --558Yx5rFDbjgUFeU--
State-Changed-From-To: feedback->suspended 
State-Changed-By: linimon 
State-Changed-When: Fri May 25 02:57:03 UTC 2007 
State-Changed-Why:  
In principle, this is a good idea, but in practice, it just moves the 
question of who-do-you-trust to a different place.  Let's suspend this 
waiting some better definition of the problem we're trying to solve here. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60558 
State-Changed-From-To: suspended->closed 
State-Changed-By: tabthorpe 
State-Changed-When: Sat May 12 02:23:31 UTC 2012 
State-Changed-Why:  
This requests gives a false sense of security in absence of a well 
established web of trust 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60558 
>Unformatted:
