Infrastructure

Describes our repository infrastructure.

Design

The RPM repositories themselves are nothing fancy. All they require is a basic HTTP server to be delivered.

Our repositories are published as Cloudflare pages and delivered via Cloudflare. This allows us to provide them at no cost for the community besides our use cases.

Signing key delivery

Our signing keys are delivered initially from Keybase i.e for repository bootstrap procedure. This is by design. If the signing key and the repository are delivered by the same server (which is a common example for quite a few software vendors), then the trust can not be established as the chain of custody may be broken. A compromised server could simply deliver a compromised signing key as well as a set of compromised packages signed with the key delivered by the same server. Essentially, all of the systems that use TOFU (no, not the fake cheese, but Trust On First Use) are subjected to this limitation as the supply chain can be attacked in this initial phase if not enough care is exercised.

While we deliver a keyring via our staker-repo package, the release itself is signed via a key initially delivered though Keybase. Furthermore, all of our RPM packages are also signed. Our repository configuration is set to check the signatures of both the repository metadata and the packages themselves.