1 |
On Mon, Jun 4, 2012 at 11:02 AM, Dirkjan Ochtman <djc@g.o> wrote: |
2 |
> If the tree was bad before you pushed, then it's not your fault the |
3 |
> tree is bad. You're only responsible for the commits you bring into |
4 |
> the tree, so if you're merging contributor's unsigned changesets, you |
5 |
> merge them with a signature of your own. |
6 |
|
7 |
Yup, but the fact that the tree is bad is still a problem, even if it |
8 |
isn't my fault. |
9 |
|
10 |
> If the hacker has unfettered access to the server where the repository |
11 |
> lives, we probably have bigger problems, as they can get whatever |
12 |
> rsynced to all our users. I guess we could have rsync process check |
13 |
> that the cset it's about to push out to mirrors is signed? |
14 |
|
15 |
So, the whole point of signing is that it lets you prove that the |
16 |
repository is uncompromised. If we're going to assume that the server |
17 |
is secure, then we don't need signatures - whatever is on the server |
18 |
is by definition correct. |
19 |
|
20 |
A robust security infrastructure is already spelled out in a GLEP |
21 |
(though that one is dated). Ideally it should be verifiable from end |
22 |
to end, so that when you run emerge if a package has been tampered |
23 |
with it will just refuse to install it. Since we don't distribute the |
24 |
whole git repository the git commits only get us part of the way |
25 |
there. However, if every step of the distribution assumes that the |
26 |
previous step could have been compromised that would be a good start. |
27 |
|
28 |
Again, we don't need to be there 100% to go live. However, I think |
29 |
that was the whole point of signing commits. If we aren't going to |
30 |
add any assurance at all with our signing practices, then there isn't |
31 |
much point in having them. |
32 |
|
33 |
Rich |