Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: Manifest signing
Date: Thu, 3 Nov 2011 23:09:30 +0000
On Thu, Nov 03, 2011 at 10:55:52PM +0100, enno+gentoo@... wrote:
> >> If it is (also) for the users, why is there no code for it in portage
> >> anymore [3]?
> > Hmm, I hadn't see that removal, but it makes sense unless the entire
> > tree is developer-signed, which isn't likely to happen soon.
> I don't agree here. Of course the implementation shouldn't stop the user
> from installing an unsigned package at the moment. But it could give a
> warning instead and ask the user what to do.
> In this way developers are encouraged to sign their packages (to make
> the warning go away) and users get the ability to check the signatures,
> that already exist.
> Key problem here is the Gentoo keyring (how to ensure it didn't get
> manipulated).
Distributing the keyring itself signed is how Debian does it IIRC.

> > There's a chicken & egg problem with most signing. You need to
> > communicate the valid keys out of band from the actual repo.
> > Maybe the layman data is a good place for that, but until such a
> > location is figured out, you have zero security gain (if the 'correct'
> > keys are only listed in a file in the repo, any attacker just replaces
> > that when he puts his other content in).
> Of course. But security is always worth thinking about it.
> First step: What are the possibilities the check the signatures? FAIL.
> In my case some (most?) of the users of my overlay should know my GPG
> key already. The web of trust works here. The drawback for possible
> other users would be a false sense of security.
That's why I say the gpg key should be in the layman data.
Overlays team, do you think this is reasonable?

> > There was a prototype keyserver at one point as well, and I can generate
> > new keyrings if needed based on the LDAP data.
> This could be okay for a first creation. Later I would prefer something
> like Debian does:
> http://keyring.debian.org/replacing_keys.html
> That way you would decouple the LDAP and the keyring and trust only the
> data, that is already in the keyring (somebody whose key is already in
> the keyring signing the request for a new key).
> See also: http://keyring.debian.org/
> Perhaps the prototype keyserver already did something like that.
The Debian model was discussed, and the main problem was finding enough
people to sign the keys near all of the devs, esp. if you require
meeting in person.

You need two factors to be able to change your GPG key on file anyway.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85


References:
Manifest signing
-- Anthony G. Basile
Re: Manifest signing
-- enno+gentoo
Re: Manifest signing
-- Robin H. Johnson
Re: Manifest signing
-- enno+gentoo
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Manifest signing
Next by thread:
libtool.eclass update to allow @...@ replacements in patches
Previous by date:
Re: Manifest signing
Next by date:
Re: ChangeLog in eclass dir (was: Old changelogs / eclass dir)


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.