| 1 |
On Wednesday 24 March 2004 14:52, Paul de Vrieze wrote: |
| 2 |
> It also more than quadruples the efforts needed for actually committing a |
| 3 |
> change to an ebuild. As a start we can better have single signing that |
| 4 |
> spending months on reorganization and devising a way to have practical |
| 5 |
> multiple signing. |
| 6 |
> |
| 7 |
> The problem is that signing can be done today. Multiple signing will need |
| 8 |
> probably at least a half year. |
| 9 |
|
| 10 |
You are making this way more complicated than it needs to be: |
| 11 |
|
| 12 |
1. add a subdirectory (say .secure) to each directory in /usr/portage. In this |
| 13 |
store a file containing a SHA hash for all files in the parent dir (the files |
| 14 |
and directory file names; this could be done using a pipe through tar): |
| 15 |
|
| 16 |
<directoryhash>7a35f987c76b724e</directoryhash> |
| 17 |
|
| 18 |
Sign this file with `gpg -s --detach-sign --armor` to generate .asc files also |
| 19 |
in the .secure directory. |
| 20 |
|
| 21 |
Add an ACL file in the main directory (not .secure) which contains something |
| 22 |
like: |
| 23 |
|
| 24 |
<acl> |
| 25 |
<writeAccess> |
| 26 |
<id>gpg public key hash</id> |
| 27 |
<id>...</id> |
| 28 |
</writeAccess> |
| 29 |
<numberSigsRequired>2</numberSigsRequired> |
| 30 |
</writeAccess> |
| 31 |
</acl> |
| 32 |
|
| 33 |
2. run rsync -a -b --backup-dir /tmp/backup $gentoourl /usr/portage |
| 34 |
|
| 35 |
rsync grabs all the new files from gentoo server and puts them |
| 36 |
in /usr/portage, any file that is modified or deleted will be recorded |
| 37 |
in /tmp/backup. This includes the ACL file. |
| 38 |
|
| 39 |
3. Recurse through /usr/portage, for each directory: |
| 40 |
a) check that hash matches .secure/hash. If not, fail. |
| 41 |
b) if theres an old ACL in /tmp/backup/subdirpath, use it, else use existing |
| 42 |
one since it hasn't been altered |
| 43 |
c) for each signature in .secure/*.asc check whether its in the ACL list, |
| 44 |
then call `gpg --verify .secure/sig.asc .secure/hash` to verify it. We can |
| 45 |
set auto-key-retrieve in case we don't already have the key. |
| 46 |
d) if the signature is valid increase counter and repeat |
| 47 |
e) if number of valid signatures>number required delete the backups, else |
| 48 |
restore the backups (including old acl) and fail. |
| 49 |
|
| 50 |
Thats it. Note that we don't use gpg trust networks at all - the ACL file is |
| 51 |
much simpler. All ebuild maintainers need to do is run one script to |
| 52 |
calculate a new hash file and sign it. If there are enough signatures from |
| 53 |
gpg IDs listed in the ACL file the new files stay, else the old files get |
| 54 |
restored. |
| 55 |
|
| 56 |
It could be a lot more versatile, but this is the simplest system I could come |
| 57 |
up with that removes the possibility for the one rogue developer attack. How |
| 58 |
many people rsync update in 24 hours? 1000? 10000? Can you imagine the impact |
| 59 |
of tens of thousands of gentoo systems around the globe suddenly being |
| 60 |
compromised? Gentoo needs protection against this kind of attack now. |
| 61 |
|
| 62 |
-- |
| 63 |
gentoo-dev@g.o mailing list |
Archives