1 |
On Sun, 2002-02-17 at 22:56, Nils Ohlmeier wrote: |
2 |
|
3 |
> Maybe the developers are more busy with other things, but its never to early |
4 |
> to think about security. |
5 |
|
6 |
If this matter is important to you then please feel free to work on |
7 |
adding such functionality to portage. I would like to see a prototype |
8 |
of said system. :) |
9 |
|
10 |
Just a tip though: any such system should be easy to use for the |
11 |
developer and end user, and happen pretty much automatically for |
12 |
developers. I'm personally not going to be very friendly towards any |
13 |
system that requires me to do gnupg commands manually and worry about |
14 |
keys every time I want to check in a package, etc. And only the most |
15 |
paranoid users are going to go through the trouble of manually verifying |
16 |
each package (meaning it wouldn't be used by most users). |
17 |
|
18 |
It may sound lazy but considering upstream packages are not signed, most |
19 |
developers don't even know each other in real life, and you are |
20 |
implicitly trusting anyone who has the key and cvs access (any true |
21 |
paranoid would see what I'm talking about). Unless the system is simple |
22 |
and transparent for developers and end users its (disclaimer: in my view |
23 |
and my view alone) a pain that gives people a false sense of security |
24 |
about software they are downloading from the internet. |
25 |
|
26 |
There is also the issue of keys... who holds them, etc. The signing of |
27 |
packages could create political side effects and formalities. We have |
28 |
quite a few developers with CVS access. This means we are going to be |
29 |
sharing keys on multiple machines or have to go through a pain in the |
30 |
arse every time we want to check a package in. |
31 |
|
32 |
Such a system may force the solid formation of "teams" and encourage a |
33 |
more unfriendly BSD-style core development model. As a gentoo developer |
34 |
I like being able to work many different aspects of gentoo whenever I |
35 |
feel like it. And if a find an annoying bug I wish to fix, I like being |
36 |
able to fix it, rather then spending time asking whichever "team" is in |
37 |
charge of said package and having to ask for permission or whatever. |
38 |
(ok, I'm exagurating, but I've heard too many horror stories from the |
39 |
history of the *BSDs) |
40 |
|
41 |
If we decide to avoid a team based structure, then we are going to have |
42 |
to worry about individual keys. Most packages, although sometimes |
43 |
marked as having a maintainer, do not really have maintainers set in |
44 |
stone. Most of the packages are freely modified by any developer who |
45 |
has a real reason to make changes to said packages. Although there are |
46 |
exceptions, portage does have maintainers due to its importance and the |
47 |
fact its a gentoo creation (we are the upstream maintainers). Also if |
48 |
you as a developer are aware that someone is working on a package or has |
49 |
a pet project, its considered good etiquite to ask them first (chances |
50 |
are they are already working on the issue anyways). So that means we |
51 |
would either have to assign maintainers with keys to specific packages |
52 |
and have changes cleared through them, or have the system check every |
53 |
possible key against the package to see if the package has a valid |
54 |
signature from 1 of 30 or so developers (I'm guessing about that |
55 |
number). |
56 |
|
57 |
Another alternative is a global key. One key shared among all |
58 |
developers... IMHO, there isn't much point of signing after that... if |
59 |
the key is leaked (accounts hacked, etc) we'd have to get in touch with |
60 |
all developers, reissue keys, and resign all packages after verifying |
61 |
them all. |
62 |
|
63 |
Just my two cents on the issue, feel free to flame or just call me |
64 |
paranoid, crazy, etc ;) Personally, I liked the open (more carefree?) |
65 |
attitude towards the beginning of the project and I'd hate to see that |
66 |
go away because of its increased popularity :) |
67 |
|
68 |
-- |
69 |
|
70 |
Bruce A. Locke |
71 |
blocke@××××××.org |
72 |
|
73 |
"Those that would give up a necessary freedom for temporary |
74 |
safety deserve neither freedom nor safety." |
75 |
-- Ben Franklin |