1 |
On Thu, Nov 03, 2011 at 10:55:52PM +0100, enno+gentoo@××××××××××××××.de wrote: |
2 |
> >> If it is (also) for the users, why is there no code for it in portage |
3 |
> >> anymore [3]? |
4 |
> > Hmm, I hadn't see that removal, but it makes sense unless the entire |
5 |
> > tree is developer-signed, which isn't likely to happen soon. |
6 |
> I don't agree here. Of course the implementation shouldn't stop the user |
7 |
> from installing an unsigned package at the moment. But it could give a |
8 |
> warning instead and ask the user what to do. |
9 |
> In this way developers are encouraged to sign their packages (to make |
10 |
> the warning go away) and users get the ability to check the signatures, |
11 |
> that already exist. |
12 |
> Key problem here is the Gentoo keyring (how to ensure it didn't get |
13 |
> manipulated). |
14 |
Distributing the keyring itself signed is how Debian does it IIRC. |
15 |
|
16 |
> > There's a chicken & egg problem with most signing. You need to |
17 |
> > communicate the valid keys out of band from the actual repo. |
18 |
> > Maybe the layman data is a good place for that, but until such a |
19 |
> > location is figured out, you have zero security gain (if the 'correct' |
20 |
> > keys are only listed in a file in the repo, any attacker just replaces |
21 |
> > that when he puts his other content in). |
22 |
> Of course. But security is always worth thinking about it. |
23 |
> First step: What are the possibilities the check the signatures? FAIL. |
24 |
> In my case some (most?) of the users of my overlay should know my GPG |
25 |
> key already. The web of trust works here. The drawback for possible |
26 |
> other users would be a false sense of security. |
27 |
That's why I say the gpg key should be in the layman data. |
28 |
Overlays team, do you think this is reasonable? |
29 |
|
30 |
> > There was a prototype keyserver at one point as well, and I can generate |
31 |
> > new keyrings if needed based on the LDAP data. |
32 |
> This could be okay for a first creation. Later I would prefer something |
33 |
> like Debian does: |
34 |
> http://keyring.debian.org/replacing_keys.html |
35 |
> That way you would decouple the LDAP and the keyring and trust only the |
36 |
> data, that is already in the keyring (somebody whose key is already in |
37 |
> the keyring signing the request for a new key). |
38 |
> See also: http://keyring.debian.org/ |
39 |
> Perhaps the prototype keyserver already did something like that. |
40 |
The Debian model was discussed, and the main problem was finding enough |
41 |
people to sign the keys near all of the devs, esp. if you require |
42 |
meeting in person. |
43 |
|
44 |
You need two factors to be able to change your GPG key on file anyway. |
45 |
|
46 |
-- |
47 |
Robin Hugh Johnson |
48 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
49 |
E-Mail : robbat2@g.o |
50 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |