Fabian Groffen posted on Thu, 29 Sep 2011 17:09:57 +0200 as excerpted:
> On 29-09-2011 11:02:17 -0400, Anthony G. Basile wrote:
>> The issue of Manifest signing came up in #gentoo-hardened channel ...
>> again. Its clearly a security issue and yet many manifests in the tree
>> are still not signed. Is there any chance that we can agree to reject
>> unsigned manifests? Possibly a question for the Council to adjudicate?
> Please refer to Mike's thread on this.
Every time this comes up, it gets a bunch of discussion, perhaps a few
more people start signing (but with dev turnover, I really don't know if
it gets better over time), and eventually the issue goes back to sleep.
I have a feeling something similar was happening for kernel.org security
discussions. Let's not be them in this regard.
In that old thread, the only real issue other than "just doing it" that I
saw raised was that of the two-stage commit thing. AFAIK in theory, that
allows a rather nasty DoS attack, so it does need dealt with, tho a DoS
worst-case is already better than the current worst-case.
Beyond that, IMO it's now at the "needs a proposal champion to clean it
up and present it to the council" stage, at least at the "council
declared priority" level for getting the requirements into repoman, the
CVS server, and perhaps the PMs (I don't know what stage they're at,
possibly all they need is a switch flipped?).
Talking about which, at the PM user level, is there a per-repo/overlay
switch? If not, it should strongly be considered.
With a proposal champion and a council declared priority, hopefully
within the year, "the switch" would be ready to be flipped, and a second
council vote could be taken to flip it.
But, someone with the domain knowledge, both of GPG and of the PMs and
commit process, needs to step up as the proposal champion and guide it
thru. It seems to me we're "almost there", and this is what's needed
now, for that final push.
In my book, that champion would stand up there along with WilliamH for
being the guy that finally pushed OpenRC thru to stability (absolutely
not without the help of others, of course, but it took someone to step up
and actually be the champion that pushed it thru). That's not an
insignificant thing to be able to put on one's CV, BTW, that you were the
proposal champion that helped with the final push toward tree signing and
thus general tree security for a community distro like Gentoo. =:^)
Meanwhile, seems to me that Google, et al. could well have sufficient
interest in this, given Gentoo's status as upstream, to sponsor hardware,
etc, if needed.
And I'm sure the Gentoo/PR folks would a WHOLE lot rather deal with an
announcement that Gentoo's tree is now signed and that the PMs now reject
unsigned by default, BEFORE having to deal with an announcement along the
lines of kernel.org's recent ones, instead of AFTER. =:\
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman