1 |
On Wednesday 24 March 2004 22:48, Spider wrote: |
2 |
> erm. Isn't the Manifest file in each directory good enough? |
3 |
> Manifest.gpg can be generated at Manifest creation time, commited to cvs |
4 |
> and so on.. The issue isn't there, the issue is the key validation. |
5 |
> |
6 |
> The issue we fear isn't one where the ACL's are blocked. its how do we |
7 |
> protect each key? How do we mark a key as "good" and not, how do we |
8 |
> have infrastructure to do this? What about a master signing key? How do |
9 |
> we do that and make sure that doesn't go boom? |
10 |
|
11 |
You know that keys are good because the associated KeyID is in the ACL. The ID |
12 |
can't get in the ACL unless enough people, who are already in the ACL, sign |
13 |
the new manifest. If someone revokes their key, then the minimum number of |
14 |
developers have to sign the new manifest with the new ACL included. |
15 |
|
16 |
This system does not introduce a huge amount of work for a developer. |
17 |
Revocations - just check that the ACL has the keyId removed, sign the new |
18 |
manifest, and checkin the signature. Updated ebuild - sign the manifest, |
19 |
checkin the signature. Updated important package requiring minimum number of |
20 |
developers to sign a release - sign manifest, checkin signature, send email |
21 |
to other developers requesting they check release and do the same. |
22 |
|
23 |
In this mechanism it is not necessary to sign each others keys, or have a |
24 |
master key. Each developer is responsible for their own key. OpenPGP |
25 |
keyservers only store the public keys. Without a developers private key it |
26 |
would be impossible to generate a valid signature. Even if the keyserver is |
27 |
hacked, and a rogue public key inserted, the key will not match the KeyID in |
28 |
the ACL (the GPG keyid is a hash of the public key). It is not even necessary |
29 |
to implement key distribution - given a signature or keyId gpg can |
30 |
automatically fetch a public key from the openpgp keyserver network and |
31 |
verify that it is the correct one. The only attack that would work is to |
32 |
compromise enough gentoo developers private keys so as to be able to generate |
33 |
the minimum number of signatures for a package. |
34 |
|
35 |
-- |
36 |
gentoo-dev@g.o mailing list |