Add support for encrypted popcon submission.

9 years ago · 3ee4b320bf
7 changed files with 54 additions and 18 deletions
--- a/20
+++ b/20
@ -17,6 +17,12 @@ A) A computer 'vote' for a package if according to the data provided in the
   report, a program provided or depending on the package was used less than
   thirty days ago. This computation is performed by the popcon server.  

+Q) Can submissions be eavesdropped ?
+
+A) Yes, however if the package gnupg is installed and ENCRYPT is set to 'yes'
+   in /etc/popularity-contest.conf, the reports are encrypted using public key
+   cryptography, so the eavesdropper should not be able to decrypt them.
+
 Q) What are the privacy considerations for popularity-contest ?

 A) Each popularity-contest host is identified by a random 128bit uuid
@ -30,20 +36,16 @@ A) Each popularity-contest host is identified by a random 128bit uuid
   Every day, the server computes a summary and post it on
   <http://popcon.debian.org/all-popcon-results.txt.gz>. This summary
   is a merge of all the submissions and does not include uuids.
-   
+
   Known weaknesses of the system:
-   
-   1) Your submission might be eavesdropped. We evaluate the possibility
-   to use public-key cryptography to protect the submission while in
-   transit.
-   
-   2) Someone who knows that you are very likely to use a particular package
+
+   1) Someone who knows that you are very likely to use a particular package
   reported by only one person (e.g. you are the maintainer) might infer you
   are not at home when the package is not reported anymore. However this is
   only a problem if you are gone for more than two weeks if the computer is
   shut-down and 23 days if it is let idle.
-   
-   3) Unofficial and local packages are reported. This can be an issue
+
+   2) Unofficial and local packages are reported. This can be an issue
   due to 2) above, especially for custom-build kernel packages.
   We are evaluating how far we can alleviate this problem.
   
--- a/debian/changelog
+++ b/debian/changelog
@ -8,10 +8,19 @@ popularity-contest (1.58) UNRELEASED; urgency=low
  * popanal.py:
    - Record the VENDOR field.
    - Bump stable version to 1.56.
-  * debian/cron.daily:
-    - Encrypt submission with gnupg if available.
-  * debian/control:
-    - Recommends: gnupg so that encryption is enabled
+  * Add support for encrypted report: Closes: #480860
+    + debian-popcon.gpg:
+      - Added: public encryption key
+    + debian/cron.daily:
+      - Encrypt submission with gnupg if available
+    + debian/control:
+      - Recommends: gnupg so that encryption is enabled
+    + default.conf:
+      - Add setting ENCRYPT, KEYRING and POPCONKEY.
+        ENCRYPT default to 'no' for this release but will default to 'yes' in
+        subsequent release.
+    + examples/cgi-bin/popcon.cgi:
+      - Accept encrypted report.

 -- Bill Allombert <ballombe@debian.org>  Sun, 19 May 2013 21:31:39 +0200

--- a/debian/control
+++ b/debian/control
@ -11,7 +11,7 @@ Package: popularity-contest
 Architecture: all
 Pre-Depends: debconf (>= 1.5.34) | cdebconf (>= 0.106)
 Depends: ${misc:Depends}, ${perl:Depends}, dpkg (>= 1.10)
-Recommends: cron | fcron, exim4 | mail-transport-agent
+Recommends: gnupg, cron | fcron, exim4 | mail-transport-agent
 Suggests: anacron
 Provides: popcon
 Description: Vote for your favourite packages automatically
--- a/debian/cron.daily
+++ b/debian/cron.daily
@ -66,6 +66,16 @@ do_sendmail()

 run_popcon > $POPCON

+GPG=/usr/bin/gpg
+
+if [ "$ENCRYPT" = "yes" ] && [ -x "$GPG" ]; then
+  POPCONGPG="$POPCON.gpg"
+  rm -f "$POPCONGPG"
+  $GPG --no-default-keyring --keyring "$KEYRING" --trust-model=always \
+       --armor -o "$POPCONGPG" -r "$POPCONKEY" --encrypt "$POPCON"
+  POPCON="$POPCONGPG"
+fi
+
 SUBMITTED=no

 # try to post the report through http POST
--- a/debian/rules
+++ b/debian/rules
@ -29,6 +29,7 @@ install:
 	install popcon-upload debian/popularity-contest/usr/share/popularity-contest/
 	install popcon-largest-unused debian/popularity-contest/usr/sbin/
 	install -m 644 default.conf debian/popularity-contest/usr/share/popularity-contest/
+	install -m 644 debian-popcon.gpg debian/popularity-contest/usr/share/popularity-contest/

 # Build architecture-independent files here.
 binary-indep: build install
--- a/default.conf
+++ b/default.conf
@ -10,6 +10,21 @@
 #
 PARTICIPATE="no"

+# ENCRYPT can be one of "yes" or "no".
+# If "yes", reports are encrypted using public key cryptography.
+# This protects against eavesdroppers when the report is transmitted.
+# However reports can only be read by the popcon server.
+# This requires the package gnupg to be installed.
+#
+ENCRYPT="no"
+
+# KEYRING and POPCONKEY specify the key to use for encryption.
+# They should not be changed for propoer operation with 
+# popcon.debian.org.
+#
+KEYRING="/usr/share/popularity-contest/debian-popcon.gpg"
+POPCONKEY="6672B9765BDF38A3"
+
 # MAILTO specifies the address to e-mail statistics to each week.
 #
 MAILTO="survey@popcon.debian.org"
--- a/examples/cgi-bin/popcon.cgi
+++ b/examples/cgi-bin/popcon.cgi
@ -73,8 +73,9 @@ if (exists $ENV{CONTENT_TYPE} && $ENV{CONTENT_TYPE} =~ m%multipart/form-data%){
    @entry = <GZIP>;
 }

-my ($id) = $entry[0] =~ m/POPULARITY-CONTEST-0 .+ ID:(\S+) /;
-if ($id) {
+if ($entry[0] =~ m/POPULARITY-CONTEST-0/ 
+ || $entry[0] =~ m/-----BEGIN PGP MESSAGE-----/)
+{
    if ($directsave) {
 	open(POPCON, "|$bindir/prepop.pl") or die "Unable to pipe to prepop.pl";
 	print POPCON @entry;
@ -89,8 +90,6 @@ EOF
        print POPCON @entry;
 	close POPCON;
    }
-}
-if ($id) {
    print "Thanks for your submission to Debian Popularity-Contest!\n";
    print "DEBIAN POPCON HTTP-POST OK\n";
 } else {