Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: rejecting unsigned commits
Date: Mon, 28 Mar 2011 00:06:06
Message-Id: robbat2-20110327T234459-240632455Z@orbis-terrarum.net
In Reply to: Re: [gentoo-dev] Re: rejecting unsigned commits by "Andreas K. Huettel"
1 On Sat, Mar 26, 2011 at 10:12:10AM +0100, Andreas K. Huettel wrote:
2 > 3) Rely on an existing key list somewhere distributed in portage; the list
3 ...
4 > Cons: Mainly that the key id is a pretty short hash afaik.(Any better-informed
5 > people around?)
6 You can use the long-format key IDs if you want.
7 0xB27B944E34884E85 is my long-form key.
8
9 > Am I missing something?
10 In my tree-signing GLEPs, I explicitly pointed out that the developer
11 signing of content only had real value for the developer->CVS
12 part of the chain. Specifically, that while building the rsync tree for
13 distribution, we can verify that the content we are preparing was indeed
14 from a developer.
15
16 Please re-read GLEP57.
17
18 Everything in this thread been attempting to apply solutions to 'Process
19 #1' (developer->infrastructure) to provide direct security for the end
20 user after 'Process #2' (infrastructure->mirrors->users).
21
22 What can we be certain of?
23 1. Developers should be signing manifests.
24 2. Infrastructure should be verifying those commits before pushing out
25 to rsync.
26 3. Regardless of their choice of rsync or websync, users need to be able
27 to verify that the tree that left Infrastructure was not modified in
28 transit.
29
30 RegI see so many bad ideas mentioned in this thread. The suggestions to
31 keep a gpg-agent with a very long passphrase TTL just provides a massive
32 new security hole:
33 ===
34 Attacker breaks into developer's system, has access to SSH agent and GPG
35 agent thanks to software like keychain, now can commit as that
36 developer.
37 ===
38 Is this the easiest attack? No, certainly not, looking at mirrors
39 mirror, potentially a running deliberate selective malicious mirror
40 would be much easier.
41
42 --
43 Robin Hugh Johnson
44 Gentoo Linux: Developer, Trustee & Infrastructure Lead
45 E-Mail : robbat2@g.o
46 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Replies

Subject Author
Re: [gentoo-dev] Re: rejecting unsigned commits "Paweł Hajdan
Report Message
Find on MARC Find on Google Groups