My idea is this:
Debian has apt with public repos
Red Hat has rpm with public repos
Suse has yum with public repos
Gentoo has portage with public repos
OS X has MacPorts/Fink/Homebrew with public repos... but they don't
support DMG and PKG files or native OS X installers, they just
download binaries and dump them into an arbitrary directory like /opt/
local/bin...
Why not create a public Munki repository? There are tons of freely
available packages available for OS X, and not everyone wants to use
the App Store. That, and the App Store isn't scriptable, and not all
developers/vendors make their software available via the App Store. A
public Munki repo would give the end user a voice. In the App Store
infrastructure, if a developer doesn't submit their app or make it
through the approval process, their app will never end up in the App
Store. In a munki infrastructure, the developer doesn't even need to
get involved. If their software is something users want in the repo,
they can request it get added (or maybe even add it themselves down
the line). Because munki operates over port 80, no ports would need
to be forwarded on their internal networks to get access to such a
repo.
I'm willing to put in the work needed to get such a repo up and
running, but I'd like to hear your input. I would also need a web host
that would allow such traffic in/out of the server. Maybe EC2 is an
option, but I don't know much about it so there'd be a bit of a
learning curve. It would also cost money, so some sort of fund-
raising would most definitely be in order.
I brought this idea up to Greg, and he suggested I propose it to the
munki-dev list, so here I am. What are your thoughts on this idea?
Have you looked at Simian, the Google App Engine-based Munki solution
that myself and John Randolph developed and maintain?
http://code.google.com/p/simian/
Maybe fitting for such a use case.
- Justin
</plug>
On Thu, Dec 15, 2011 at 11:08 PM, michaeljsmalley
<michael...@gmail.com> wrote:
I could see that applications signed/secured with the Sparkle framework update method could be handled with less problem.
Rob.
there are still pre and post install scripts in pkginfos - for drag n drop dmgs even - that can run arbitrary code.
I still think (I got flamed down once about this) that a publicly
modifiable wiki or 'repo' for just the pkginfo information for each
version of the software - a bit like app-deploy.com
<http://app-deploy.com> or wpkg.org <http://wpkg.org> on the pc side of
things, and maybe the ability to include the steps necessary to
(re)package software for deploying by munki. I don't see the benefit to
re-hosting already freely available software.
In my short time working with Munki - I've yet to see anything that needs
drastic work doing to be made deployable..
Just my 2p on the matter. Feel free to ignore!
Andrew
On 16/12/2011 12:16, "Nate" <nate....@gmail.com> wrote:
>I think it would be best if people submitted pkginfos to be added to the
>existing munki repo. I'm not sure if Greg agrees, but I think it would
>be ideal if pkginfos were submitted and looked over before being posted.
>I don't like the idea of random pkginfos being posted by whoever without
>review. I think newer munki users might be more apt to just grab pkginfo
>bits and expect them to work. If they are reviewed before posting, there
>is a higher chance that the pkginfos will work for them as a template.
>
>Nate
I agree - possibly a group of people that could look over them or test
them out. Or even a 'untested' and 'tested' code section. Once someone
trustworthy checks it out and verifies it, move to the 'tested' section.
I know there are a few people who've posted up their own code on various
sites, but its always good to be able to come back to the origin of the
software :)
Andrew
><http://app-deploy.com> or wpkg.org <http://wpkg.org> <http://wpkg.org>
* There needs to be a group of maintainers who trust each other.
* They need to build a reputation with the community that is going to use
software delivered from their repository. This happens just by existing and
putting software in their repository that is not malicious.
* The software and pkginfos need to be signed by the repository maintainers.
They are the ones gauranteeing that they did not put anything malicious into
the package.
* People who use a repository should be careful to only use reputable ones on
sensitive systems.
However, I also think there should be some abstraction. The Munki client
probably shouldn't get manifests from 3rd party repositorys. I think that a
Munki server in an organization could point to catalogs on 3rd party servers.
Administrators would then make manifests referencing packages in the 3rd party
repos for their clients to access.
Jeff
I think it would be best if people submitted pkginfos to be added to the existing munki repo. I'm not sure if Greg agrees, but I think it would be ideal if pkginfos were submitted and looked over before being posted. I don't like the idea of random pkginfos being posted by whoever without review. I think newer munki users might be more apt to just grab pkginfo bits and expect them to work. If they are reviewed before posting, there is a higher chance that the pkginfos will work for them as a template.
What you want is a trust chain - I implemented this (most of the way) in the MunkiAppcast (Appcast == Sparkle) code I wrote a while back but haven't had time to work on recently. That code takes a Sparkle feed and and developer's signing key, downloads, verifies, then puts an installable packages in a Munki repo.
I'm wondering if the greater problem could be solved by having a repo of "fetch scripts" that work like a BSD style ports tree - an organized collection of scripts that download and prep specific packages. This would be much simpler/smaller than duplicating binaries in a common repository, gets around issues of re-hosting other people's software (which some vendors really don't like), and could handle commercial software as well via a "mount the DVD/image, run the script" method.
On a similar note, has anyone added the ability to cryptographically sign and verify manifests in munki?
- Zack
--
Zack Williams - Artisan Computer Services - 520.867.8701
z...@artisancomputer.com http://www.artisancomputer.com
Apple Certified System Administrator, Apple Consultants Network
Microsoft Certified Professional, Small Business Specialist
Sun Certified System Administrator
Linux Professional Institute LPIC-1
> On Dec 15, 2011, at 22:19 , Rob Middleton wrote:
>>
>> I could see that applications signed/secured with the Sparkle framework update method could be handled with less problem.
>
>
> What you want is a trust chain - I implemented this (most of the way) in the MunkiAppcast (Appcast == Sparkle) code I wrote a while back but haven't had time to work on recently. That code takes a Sparkle feed and and developer's signing key, downloads, verifies, then puts an installable packages in a Munki repo.
>
> I'm wondering if the greater problem could be solved by having a repo of "fetch scripts" that work like a BSD style ports tree - an organized collection of scripts that download and prep specific packages. This would be much simpler/smaller than duplicating binaries in a common repository, gets around issues of re-hosting other people's software (which some vendors really don't like), and could handle commercial software as well via a "mount the DVD/image, run the script" method.
MunkiServer from Simon Fraser University has methods for automatically retrieving updates using feeds as well.
>
> On a similar note, has anyone added the ability to cryptographically sign and verify manifests in munki?
Is that even needed if you use https on your Munki server? You are verifying the server at that point -- why would the manifests need to be verified further?
If the server is hacked, the hacker would be able to replace the
manifests and catalogs. If they were required to be signed by the
admin before the client would accept them, the admin would also have
to get hacked to own any of the machines managed by the server.
I'll have to take a look at that.
>> On a similar note, has anyone added the ability to cryptographically sign and verify manifests in munki?
>
> Is that even needed if you use https on your Munki server? You are verifying the server at that point -- why would the manifests need to be verified further?
I guess I was thinking of extending the trust chain to not rely only on SSL.
Does the Munki client verify the server's SSL cert against a certificate store that contains only the CA key that issued the server's cert, to avoid say a rouge CA problem? (I do admit this is somewhat farfetched)
On Dec 16, 2011, at 9:08 AM, Zack Williams wrote:
> On Dec 15, 2011, at 22:19 , Rob Middleton wrote:
>>
>> I could see that applications signed/secured with the Sparkle framework update method could be handled with less problem.
>
>
> What you want is a trust chain - I implemented this (most of the way) in the MunkiAppcast (Appcast == Sparkle) code I wrote a while back but haven't had time to work on recently. That code takes a Sparkle feed and and developer's signing key, downloads, verifies, then puts an installable packages in a Munki repo.
>
> I'm wondering if the greater problem could be solved by having a repo of "fetch scripts" that work like a BSD style ports tree - an organized collection of scripts that download and prep specific packages. This would be much simpler/smaller than duplicating binaries in a common repository, gets around issues of re-hosting other people's software (which some vendors really don't like), and could handle commercial software as well via a "mount the DVD/image, run the script" method.
MunkiServer from Simon Fraser University has methods for automatically retrieving updates using feeds as well.
On Dec 16, 2011, at 10:16 , Greg Neagle wrote:I'll have to take a look at that.
> MunkiServer from Simon Fraser University has methods for automatically retrieving updates using feeds as well.
I guess I was thinking of extending the trust chain to not rely only on SSL.
>> On a similar note, has anyone added the ability to cryptographically sign and verify manifests in munki?
>
> Is that even needed if you use https on your Munki server? You are verifying the server at that point -- why would the manifests need to be verified further?
Does the Munki client verify the server's SSL cert against a certificate store that contains only the CA key that issued the server's cert, to avoid say a rouge CA problem? (I do admit this is somewhat farfetched)
- Zack
--
Zack Williams - Artisan Computer Services - 520.867.8701
z...@artisancomputer.com http://www.artisancomputer.com
Apple Certified System Administrator, Apple Consultants Network
Microsoft Certified Professional, Small Business Specialist
Sun Certified System Administrator
Linux Professional Institute LPIC-1