Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: Manifest signing
Date: Thu, 29 Sep 2011 19:09:37
Message-Id: pan.2011.09.29.19.08.29@cox.net
In Reply to: Re: [gentoo-dev] Manifest signing by Fabian Groffen
Fabian Groffen posted on Thu, 29 Sep 2011 17:09:57 +0200 as excerpted:

> On 29-09-2011 11:02:17 -0400, Anthony G. Basile wrote: >> The issue of Manifest signing came up in #gentoo-hardened channel ... >> again. Its clearly a security issue and yet many manifests in the tree >> are still not signed. Is there any chance that we can agree to reject >> unsigned manifests? Possibly a question for the Council to adjudicate? > > Please refer to Mike's thread on this. > > http://archives.gentoo.org/gentoo-dev/
msg_7210bc8a18140db8f18ff89245efacd5.xml Every time this comes up, it gets a bunch of discussion, perhaps a few more people start signing (but with dev turnover, I really don't know if it gets better over time), and eventually the issue goes back to sleep. I have a feeling something similar was happening for kernel.org security discussions. Let's not be them in this regard. In that old thread, the only real issue other than "just doing it" that I saw raised was that of the two-stage commit thing. AFAIK in theory, that allows a rather nasty DoS attack, so it does need dealt with, tho a DoS worst-case is already better than the current worst-case. Beyond that, IMO it's now at the "needs a proposal champion to clean it up and present it to the council" stage, at least at the "council declared priority" level for getting the requirements into repoman, the CVS server, and perhaps the PMs (I don't know what stage they're at, possibly all they need is a switch flipped?). Talking about which, at the PM user level, is there a per-repo/overlay switch? If not, it should strongly be considered. With a proposal champion and a council declared priority, hopefully within the year, "the switch" would be ready to be flipped, and a second council vote could be taken to flip it. But, someone with the domain knowledge, both of GPG and of the PMs and commit process, needs to step up as the proposal champion and guide it thru. It seems to me we're "almost there", and this is what's needed now, for that final push. In my book, that champion would stand up there along with WilliamH for being the guy that finally pushed OpenRC thru to stability (absolutely not without the help of others, of course, but it took someone to step up and actually be the champion that pushed it thru). That's not an insignificant thing to be able to put on one's CV, BTW, that you were the proposal champion that helped with the final push toward tree signing and thus general tree security for a community distro like Gentoo. =:^) Meanwhile, seems to me that Google, et al. could well have sufficient interest in this, given Gentoo's status as upstream, to sponsor hardware, etc, if needed. And I'm sure the Gentoo/PR folks would a WHOLE lot rather deal with an announcement that Gentoo's tree is now signed and that the PMs now reject unsigned by default, BEFORE having to deal with an announcement along the lines of kernel.org's recent ones, instead of AFTER. =:\ -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman

Replies

Subject Author
Re: [gentoo-dev] Re: Manifest signing "Robin H. Johnson" <robbat2@g.o>