Re: [renamed] Debian crda?

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Tue, Mar 24, 2009 at 11:44 PM, Kalle Valo <kalle.valo@iki.fi> wrote:
> "Luis R. Rodriguez" <mcgrof@gmail.com> writes:
>
>> As a lot of you know we have a new regulatory implementation for Linux
>> wireless now [1]. We have kept the old regulatory implementation
>> through a Kconfig option, CONFIG_WIRELESS_OLD_REGULATORY.
>> Distributions are slowly converging to start setting this to "N" -- as
>> of 2.6.28. Distributions are also now shipping wireless-regdb [2] and
>> CRDA [3].
>
> Just of curiosity, what's happening with crda in debian? I still don't
> see them in debian unstable.
>
> I just found iw version 0.9.9-nogit in unstable, though. So things are
> going forward.

Last time I poked them it seemed it was not easy to figure out how to
deal with, if at all, the optional but recommended RSA signature stuff
[1] with the DFSG.

[1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature

  Luis

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs@debian.org> wrote:
> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>
>> Last time I poked them it seemed it was not easy to figure out how to
>> deal with, if at all, the optional but recommended RSA signature stuff
>> [1] with the DFSG.
>>
>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
>
> What is the percieved DFSG/RSA conflict? I can't detect any based on
> that section of the page.

Thanks Paul, then its just a matter of packaging. There is an
debian-example/ directory with a cdbs example of how to package for
wireless-regdb and crda if anyone is up for it.

  Luis

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 12:47 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs@debian.org> wrote:
>> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>>
>>> Last time I poked them it seemed it was not easy to figure out how to
>>> deal with, if at all, the optional but recommended RSA signature stuff
>>> [1] with the DFSG.
>>>
>>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
>>
>> What is the percieved DFSG/RSA conflict? I can't detect any based on
>> that section of the page.
>
> Thanks Paul, then its just a matter of packaging. There is an
> debian-example/ directory with a cdbs example of how to package for
> wireless-regdb and crda if anyone is up for it.

And as its probably best to coordinate with Ubuntu, they have a
wireless-crda package which combines both into one package. Its
shipping for Jaunty.

  Luis

Re: [renamed] Debian crda?

[Evgeni Golov]

On Wed, 25 Mar 2009 00:51:41 -0700 Luis R. Rodriguez wrote:

> On Wed, Mar 25, 2009 at 12:47 AM, Luis R. Rodriguez <mcgrof-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> wrote:
> >> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >>
> >>> Last time I poked them it seemed it was not easy to figure out how to
> >>> deal with, if at all, the optional but recommended RSA signature stuff
> >>> [1] with the DFSG.
> >>>
> >>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
> >>
> >> What is the percieved DFSG/RSA conflict? I can't detect any based on
> >> that section of the page.
> >
> > Thanks Paul, then its just a matter of packaging. There is an
> > debian-example/ directory with a cdbs example of how to package for
> > wireless-regdb and crda if anyone is up for it.
> 
> And as its probably best to coordinate with Ubuntu, they have a
> wireless-crda package which combines both into one package. Its
> shipping for Jaunty.

I'd be interested in CRDA, but:
- I don't like CDBS ;)
- I'm not a DD (yet, *waiting*), so I'd need a sponsor
- Prolly this should be done under the pkg-wpa umbrella

-- 
Bruce Schneier Fact Number 731:
Bruce Schneier knows at least 0x09f911029d74e35bd84156c5635688c0 other
ways to crack HD-DVD encryption.

Re: [renamed] Debian crda?

[Kel Modderman]

On Wednesday 25 March 2009 17:51:41 Luis R. Rodriguez wrote:
> On Wed, Mar 25, 2009 at 12:47 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> > On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs@debian.org> wrote:
> >> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> >>
> >>> Last time I poked them it seemed it was not easy to figure out how to
> >>> deal with, if at all, the optional but recommended RSA signature stuff
> >>> [1] with the DFSG.
> >>>
> >>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
> >>
> >> What is the percieved DFSG/RSA conflict? I can't detect any based on
> >> that section of the page.
> >
> > Thanks Paul, then its just a matter of packaging. There is an
> > debian-example/ directory with a cdbs example of how to package for
> > wireless-regdb and crda if anyone is up for it.

The example packaging needs some love, I think. I don't see it as a great
reference to the eventual packaging material that would enter Debian.

> 
> And as its probably best to coordinate with Ubuntu, they have a
> wireless-crda package which combines both into one package. Its
> shipping for Jaunty.

And that's the only way to sanely package it (by combining the two pieces
upstream splits) as show by Fedora also choosing that route.

Luis why can't CRDA and regd simply be released in same tarball considering
they have such a strong relationship with eachother due to the openssl stuff?

Thanks, Kel.

Re: [renamed] Debian crda?

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

On Thu, 2009-03-26 at 03:37 +1000, Kel Modderman wrote:

> > And as its probably best to coordinate with Ubuntu, they have a
> > wireless-crda package which combines both into one package. Its
> > shipping for Jaunty.
> 
> And that's the only way to sanely package it (by combining the two pieces
> upstream splits) as show by Fedora also choosing that route.
> 
> Luis why can't CRDA and regd simply be released in same tarball considering
> they have such a strong relationship with eachother due to the openssl stuff?

I thought regdb was supposed to be a candidate for volatile.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 10:37 AM, Kel Modderman <kel@otaku42.de> wrote:
> On Wednesday 25 March 2009 17:51:41 Luis R. Rodriguez wrote:
>> On Wed, Mar 25, 2009 at 12:47 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>> > On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs@debian.org> wrote:
>> >> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>> >>
>> >>> Last time I poked them it seemed it was not easy to figure out how to
>> >>> deal with, if at all, the optional but recommended RSA signature stuff
>> >>> [1] with the DFSG.
>> >>>
>> >>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
>> >>
>> >> What is the percieved DFSG/RSA conflict? I can't detect any based on
>> >> that section of the page.
>> >
>> > Thanks Paul, then its just a matter of packaging. There is an
>> > debian-example/ directory with a cdbs example of how to package for
>> > wireless-regdb and crda if anyone is up for it.
>
> The example packaging needs some love, I think. I don't see it as a great
> reference to the eventual packaging material that would enter Debian.
>
>>
>> And as its probably best to coordinate with Ubuntu, they have a
>> wireless-crda package which combines both into one package. Its
>> shipping for Jaunty.
>
> And that's the only way to sanely package it (by combining the two pieces
> upstream splits) as show by Fedora also choosing that route.

Well I actually disagree.

> Luis why can't CRDA and regd simply be released in same tarball considering
> they have such a strong relationship with eachother due to the openssl stuff?

Openssl stuff is optional and in fact not the lib chosen by default,
libgcrypt is the default though.

The point is that crda won't be updated regularly but the
wireless-regdb will be. No point in updating a binary when only the
file it reads is the one that changes.

  Luis

Re: [renamed] Debian crda?

[Kel Modderman]

On Wednesday 25 March 2009 17:39:03 Paul Wise wrote:
> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> 
> > Last time I poked them it seemed it was not easy to figure out how to
> > deal with, if at all, the optional but recommended RSA signature stuff
> > [1] with the DFSG.
> >
> > [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
> 
> What is the percieved DFSG/RSA conflict? I can't detect any based on
> that section of the page.

Hi Paul,

By default the upstream wireless-regdb tarball contains and installs a
pre-built wireless regulatory information binary signed by John Linville's
openssl snakeoil. It is my understanding that in Debian we would prefer to
build the binary from its source code. That presents a problem because CRDA
expects to see John Linville's openssl stuff. One way to work around this
is to munge CRDA and regdb together, generate our own openssl stuff and build
CRDA and wireless-redb at the same time. Another way to go is to do away with
the openssl stuff during build altogether, but Luis doesn't like that, and the
build system's need patching to support it last time I checked.

Thanks, Kel.

Re: [renamed] Debian crda?

[John W. Linville]

On Thu, Mar 26, 2009 at 03:45:30AM +1000, Kel Modderman wrote:
> On Wednesday 25 March 2009 17:39:03 Paul Wise wrote:
> > On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> > 
> > > Last time I poked them it seemed it was not easy to figure out how to
> > > deal with, if at all, the optional but recommended RSA signature stuff
> > > [1] with the DFSG.
> > >
> > > [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
> > 
> > What is the percieved DFSG/RSA conflict? I can't detect any based on
> > that section of the page.
> 
> Hi Paul,
> 
> By default the upstream wireless-regdb tarball contains and installs a
> pre-built wireless regulatory information binary signed by John Linville's
> openssl snakeoil. It is my understanding that in Debian we would prefer to
> build the binary from its source code. That presents a problem because CRDA
> expects to see John Linville's openssl stuff. One way to work around this
> is to munge CRDA and regdb together, generate our own openssl stuff and build
> CRDA and wireless-redb at the same time. Another way to go is to do away with
> the openssl stuff during build altogether, but Luis doesn't like that, and the
> build system's need patching to support it last time I checked.

You could also patch-in support for your own signing key, provided
that would comply with whatever policies Debian has about signing keys.

Hth...

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

Re: [renamed] Debian crda?

[Kel Modderman]

On Thursday 26 March 2009 03:41:30 Luis R. Rodriguez wrote:
> On Wed, Mar 25, 2009 at 10:37 AM, Kel Modderman <kel@otaku42.de> wrote:
> > On Wednesday 25 March 2009 17:51:41 Luis R. Rodriguez wrote:
> >> On Wed, Mar 25, 2009 at 12:47 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> >> > On Wed, Mar 25, 2009 at 12:39 AM, Paul Wise <pabs@debian.org> wrote:
> >> >> On Wed, Mar 25, 2009 at 4:09 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> >> >>
> >> >>> Last time I poked them it seemed it was not easy to figure out how to
> >> >>> deal with, if at all, the optional but recommended RSA signature stuff
> >> >>> [1] with the DFSG.
> >> >>>
> >> >>> [1] http://wireless.kernel.org/en/developers/Regulatory#RSADigitalSignature
> >> >>
> >> >> What is the percieved DFSG/RSA conflict? I can't detect any based on
> >> >> that section of the page.
> >> >
> >> > Thanks Paul, then its just a matter of packaging. There is an
> >> > debian-example/ directory with a cdbs example of how to package for
> >> > wireless-regdb and crda if anyone is up for it.
> >
> > The example packaging needs some love, I think. I don't see it as a great
> > reference to the eventual packaging material that would enter Debian.
> >
> >>
> >> And as its probably best to coordinate with Ubuntu, they have a
> >> wireless-crda package which combines both into one package. Its
> >> shipping for Jaunty.
> >
> > And that's the only way to sanely package it (by combining the two pieces
> > upstream splits) as show by Fedora also choosing that route.
> 
> Well I actually disagree.

The DFSG seems to suggest that the source code to the regulatory database
should be modifiable and the derived work distributed under the same license.

For our possible, and resonsible, modifications to take effect we need to
build the regulatory database from source, not install the prebuilt/presigned
one. The building of Debian packages is mostly done in anonymous build chroot's
without access to personal cryptography information.

How can the CRDA and wireless-regdb binaries both be built from source
separately and share the same cryptographic information with these
restrictions? (only then would debian-volatile be an option for regdb afaiu)

Maybe the debian-kernel team should be contacted more directly, as it is
ultimately them who need to make a decision about
CONFIG_WIRELESS_OLD_REGULATORY ?

Thanks, Kel.

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 12:03 PM, Paul Wise <pabs@debian.org> wrote:
> On Thu, Mar 26, 2009 at 3:42 AM, Kel Modderman <kel@otaku42.de> wrote=
:
>
>> The DFSG seems to suggest that the source code to the regulatory dat=
abase
>> should be modifiable and the derived work distributed under the same=
 license.
>
> It is my understanding that:
>
> Debian probably won't need to build the regdb from source most of the
> time so we can just ship the upstream regulatory.bin file most of the
> time.

Yes, that is the case.

The user who would modify these rules for example would be people
doing experiments, research, or maintaining their own db for some sort
of custom hardware with specifically licensed regulatory information.

> When we do, just adding a second public key to the CRDA =C2=A0pubkeys=
 dir
> and using the corresponding private key (from outside the package)
> during the build process of wireless-regdb would be just fine.

Yes, this is the case.

> This
> would mean the maintainer of crda would also have to be the
> wireless-regdb maintainer.

Actually technically it could be a different person. I maintain crda
upstream and John maintains wireless-regdb upstream, for example. I
just need John's pubkey file which is non-binary. CRDA just reads the
regulatory.bin which wireless-regdb provides.

> I assume the wireless-regdb is
> architecture-independent so this would work because the buildds do no=
t
> build such packages.

This is correct.

You do need a regulatory.bin installed first though so that if crda is
built with the RSA digital signature check part of its build process
is to ensure the signature checks out against the currently installed
regulatory.bin file on your system. But that's just because a sanity
check is part of the default target on the Makefile.

> It is possible for users to add more public keys to the CRDA =C2=A0pu=
bkeys
> dir and build their own wireless-regdb using their own private key.

Affirmative.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 1:25 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:

> Actually technically it could be a different person. I maintain crda
> upstream and John maintains wireless-regdb upstream, for example. I
> just need John's pubkey file which is non-binary. CRDA just reads the
> regulatory.bin which wireless-regdb provides.

Let me be a little bit more clear on this last sentence. By provides I
mean that John generated his pubkey using it and then e-mailed it to
me. I then just merged it as part of CRDA so that by default CRDA
trusts the regulatory.bin files he puts out.

  Luis

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 8:08 PM, Paul Wise <pabs@debian.org> wrote:
> On Thu, Mar 26, 2009 at 4:03 AM, Paul Wise <pabs@debian.org> wrote:
>
>> When we do, just adding a second public key to the CRDA =C2=A0pubkey=
s dir
>> and using the corresponding private key (from outside the package)
>> during the build process of wireless-regdb would be just fine. This
>> would mean the maintainer of crda would also have to be the
>> wireless-regdb maintainer. I assume the wireless-regdb is
>> architecture-independent so this would work because the buildds do n=
ot
>> build such packages.
>
> Brainwave: no need to add a second public key to CRDA itself, the
> wireless-regdb could install the public key corresponding to the
> private key it was built with.

Can you elaborate on what you mean? Do you mean for wireless-regdb to
put the actual pubkey into the users' system somewhere? Otherwise not
sure what you mean.

>> It is possible for users to add more public keys to the CRDA =C2=A0p=
ubkeys
>> dir and build their own wireless-regdb using their own private key.
>
> The above simplification makes this much easier.

Not sure what you mean, but the idea with the pubkeys directory when
building CRDA is it lets you add more keys to CRDA so it can use
regulatory.bin from multiple trusted parties. A small example is a
distribution can decide to use their own pubkey and also leave John's
in the pubkeys/ directory. This allow the user to then install and
actually use the distribution's release of wireless-regdb while also
enabling the users to upgrade to John's latest regulatory.bin
themselves whenever they feel like it either manually or using the
upstream package. Of course if the distribution keeps up with these
then there is no need for the user to be doing any of this.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [renamed] Debian crda?

[Paul Wise]

On Thu, Mar 26, 2009 at 1:19 PM, Luis R. Rodriguez <mcgrof@gmail.com> w=
rote:

>> Brainwave: no need to add a second public key to CRDA itself, the
>> wireless-regdb could install the public key corresponding to the
>> private key it was built with.
>
> Can you elaborate on what you mean? Do you mean for wireless-regdb to
> put the actual pubkey into the users' system somewhere? Otherwise not
> sure what you mean.

The crda package would contain the default upstream public key.

The wireless-regdb would ship the Debian maintainer's pubkey as
debian/pubkeys/debian.pem in the source package and
/lib/crda/pubkeys/debian.pub.pem (or similar) in the binary package.

Ubuntu would add their pubkey in a similar way.

When wireless-regdb is built, it would:

check the sha1sum/sha256sum of db.txt (alternatively upstream could
add a detached signature if possible to the tarball/git repo)

if the db.txt is identical to the upstream one (or signed by
upstream), ship the upstream regulatory.bin file

if the db.txt has been modified:

if no private key is available, generate one automatically

rebuild the regulatory.bin file using the private key

create the corresponding public key and install it in the package as
/lib/crda/pubkeys/custom.pub.pem when it is not the same public key as
one of the ones in debian/pubkeys/*.pem (avoids shipping two copies of
the Debian pubkey)

this scheme requires standard locations for the private key. I would
suggest either ~/.debian-wireless-regdb.priv.pem or
debian-wireless-regdb.priv.pem in the package build directory.

>>> It is possible for users to add more public keys to the CRDA =C2=A0=
pubkeys
>>> dir and build their own wireless-regdb using their own private key.
>>
>> The above simplification makes this much easier.
>
> Not sure what you mean, but the idea with the pubkeys directory

The above scheme would allow users who apt-get source wireless-regdb,
edit db.txt, debuild, debi to automatically trust their own key, as
well as trusting Debian's key and the upstream key.

I wonder if any of this would be even remotely acceptable to
regulatory authorities.

--=20
bye,
pabs

http://wiki.debian.org/PaulWise
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [renamed] Debian crda?

[Luis R. Rodriguez]

On Wed, Mar 25, 2009 at 9:59 PM, Paul Wise <pabs@debian.org> wrote:
> On Thu, Mar 26, 2009 at 1:19 PM, Luis R. Rodriguez <mcgrof@gmail.com>=
 wrote:
>
>>> Brainwave: no need to add a second public key to CRDA itself, the
>>> wireless-regdb could install the public key corresponding to the
>>> private key it was built with.
>>
>> Can you elaborate on what you mean? Do you mean for wireless-regdb t=
o
>> put the actual pubkey into the users' system somewhere? Otherwise no=
t
>> sure what you mean.
>
> The crda package would contain the default upstream public key.
>
> The wireless-regdb would ship the Debian maintainer's pubkey as
> debian/pubkeys/debian.pem in the source package and
> /lib/crda/pubkeys/debian.pub.pem (or similar) in the binary package.
>
> Ubuntu would add their pubkey in a similar way.
>
> When wireless-regdb is built, it would:
>
> check the sha1sum/sha256sum of db.txt (alternatively upstream could
> add a detached signature if possible to the tarball/git repo)
>
> if the db.txt is identical to the upstream one (or signed by
> upstream), ship the upstream regulatory.bin file
>
> if the db.txt has been modified:
>
> if no private key is available, generate one automatically
>
> rebuild the regulatory.bin file using the private key
>
> create the corresponding public key and install it in the package as
> /lib/crda/pubkeys/custom.pub.pem when it is not the same public key a=
s
> one of the ones in debian/pubkeys/*.pem (avoids shipping two copies o=
f
> the Debian pubkey)
>
> this scheme requires standard locations for the private key. I would
> suggest either ~/.debian-wireless-regdb.priv.pem or
> debian-wireless-regdb.priv.pem in the package build directory.
>
>>>> It is possible for users to add more public keys to the CRDA =C2=A0=
pubkeys
>>>> dir and build their own wireless-regdb using their own private key=
=2E
>>>
>>> The above simplification makes this much easier.
>>
>> Not sure what you mean, but the idea with the pubkeys directory
>
> The above scheme would allow users who apt-get source wireless-regdb,
> edit db.txt, debuild, debi to automatically trust their own key, as
> well as trusting Debian's key and the upstream key.
>
> I wonder if any of this would be even remotely acceptable to
> regulatory authorities.

Thanks for the ideas, will post patches for this.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html