1 |
On Wednesday 24 March 2004 14:52, Paul de Vrieze wrote: |
2 |
> It also more than quadruples the efforts needed for actually committing a |
3 |
> change to an ebuild. As a start we can better have single signing that |
4 |
> spending months on reorganization and devising a way to have practical |
5 |
> multiple signing. |
6 |
> |
7 |
> The problem is that signing can be done today. Multiple signing will need |
8 |
> probably at least a half year. |
9 |
|
10 |
You are making this way more complicated than it needs to be: |
11 |
|
12 |
1. add a subdirectory (say .secure) to each directory in /usr/portage. In this |
13 |
store a file containing a SHA hash for all files in the parent dir (the files |
14 |
and directory file names; this could be done using a pipe through tar): |
15 |
|
16 |
<directoryhash>7a35f987c76b724e</directoryhash> |
17 |
|
18 |
Sign this file with `gpg -s --detach-sign --armor` to generate .asc files also |
19 |
in the .secure directory. |
20 |
|
21 |
Add an ACL file in the main directory (not .secure) which contains something |
22 |
like: |
23 |
|
24 |
<acl> |
25 |
<writeAccess> |
26 |
<id>gpg public key hash</id> |
27 |
<id>...</id> |
28 |
</writeAccess> |
29 |
<numberSigsRequired>2</numberSigsRequired> |
30 |
</writeAccess> |
31 |
</acl> |
32 |
|
33 |
2. run rsync -a -b --backup-dir /tmp/backup $gentoourl /usr/portage |
34 |
|
35 |
rsync grabs all the new files from gentoo server and puts them |
36 |
in /usr/portage, any file that is modified or deleted will be recorded |
37 |
in /tmp/backup. This includes the ACL file. |
38 |
|
39 |
3. Recurse through /usr/portage, for each directory: |
40 |
a) check that hash matches .secure/hash. If not, fail. |
41 |
b) if theres an old ACL in /tmp/backup/subdirpath, use it, else use existing |
42 |
one since it hasn't been altered |
43 |
c) for each signature in .secure/*.asc check whether its in the ACL list, |
44 |
then call `gpg --verify .secure/sig.asc .secure/hash` to verify it. We can |
45 |
set auto-key-retrieve in case we don't already have the key. |
46 |
d) if the signature is valid increase counter and repeat |
47 |
e) if number of valid signatures>number required delete the backups, else |
48 |
restore the backups (including old acl) and fail. |
49 |
|
50 |
Thats it. Note that we don't use gpg trust networks at all - the ACL file is |
51 |
much simpler. All ebuild maintainers need to do is run one script to |
52 |
calculate a new hash file and sign it. If there are enough signatures from |
53 |
gpg IDs listed in the ACL file the new files stay, else the old files get |
54 |
restored. |
55 |
|
56 |
It could be a lot more versatile, but this is the simplest system I could come |
57 |
up with that removes the possibility for the one rogue developer attack. How |
58 |
many people rsync update in 24 hours? 1000? 10000? Can you imagine the impact |
59 |
of tens of thousands of gentoo systems around the globe suddenly being |
60 |
compromised? Gentoo needs protection against this kind of attack now. |
61 |
|
62 |
-- |
63 |
gentoo-dev@g.o mailing list |