| 1 |
On Mon, Jun 4, 2012 at 11:02 AM, Dirkjan Ochtman <djc@g.o> wrote: |
| 2 |
> If the tree was bad before you pushed, then it's not your fault the |
| 3 |
> tree is bad. You're only responsible for the commits you bring into |
| 4 |
> the tree, so if you're merging contributor's unsigned changesets, you |
| 5 |
> merge them with a signature of your own. |
| 6 |
|
| 7 |
Yup, but the fact that the tree is bad is still a problem, even if it |
| 8 |
isn't my fault. |
| 9 |
|
| 10 |
> If the hacker has unfettered access to the server where the repository |
| 11 |
> lives, we probably have bigger problems, as they can get whatever |
| 12 |
> rsynced to all our users. I guess we could have rsync process check |
| 13 |
> that the cset it's about to push out to mirrors is signed? |
| 14 |
|
| 15 |
So, the whole point of signing is that it lets you prove that the |
| 16 |
repository is uncompromised. If we're going to assume that the server |
| 17 |
is secure, then we don't need signatures - whatever is on the server |
| 18 |
is by definition correct. |
| 19 |
|
| 20 |
A robust security infrastructure is already spelled out in a GLEP |
| 21 |
(though that one is dated). Ideally it should be verifiable from end |
| 22 |
to end, so that when you run emerge if a package has been tampered |
| 23 |
with it will just refuse to install it. Since we don't distribute the |
| 24 |
whole git repository the git commits only get us part of the way |
| 25 |
there. However, if every step of the distribution assumes that the |
| 26 |
previous step could have been compromised that would be a good start. |
| 27 |
|
| 28 |
Again, we don't need to be there 100% to go live. However, I think |
| 29 |
that was the whole point of signing commits. If we aren't going to |
| 30 |
add any assurance at all with our signing practices, then there isn't |
| 31 |
much point in having them. |
| 32 |
|
| 33 |
Rich |
Archives