ASDF-install is pretty security-aware, and I propose the CLAPPA site emulate it:
- Check gpg signatures (no web of trust check, I guess)
- Require that at least one user exists for whom the GPG signature is valid
This might be enough to satisfy some, but this is going to be a web application which will allow basically anyone to upload stuff to it. Additional isolation is required against
- code that deletes or modifies stuff on the host system
- rogue network traffic getting out.
Segv and I came up with having a mostly crippled and heavily firewalled Xen instance running to do the dangerous stuff for us. When it's done, wipe the image. The Xen instance will probably communicate with the outside world through a single tcp connection to the host system.
I'm wondering how to best teach an OS inside Xen to do something automatically; I suppose a linux would have an init script that reads data from a file system image that was prepared as a loopback mount before starting the xen instance.
neat idea concerning gpg key checks
We just had a discussion on asdf-install and gpg keys on #lisp. There are problems (especially with older versions of asdf-install) and gpg keys that are not on the user's machine. Asdf-install will error and refuse to do anything, as it can't verify the package; the user is left worrying, and has to look through all possible key servers to find the key with which a package was signed. One idea is to require registered users (who can upload packages) to provide a gpg key which they use to sign packages. When uploading a new release, it's required that a key match one in the database. Users who download a package will get a URL where they can download the signer's key to verify that they did get the package they wanted.
This is a simple keyserver implementation, and I wonder if we can simplify it so that users need only provide a key server url and a key ID.