| 1 |
On Wednesday 24 March 2004 22:48, Spider wrote: |
| 2 |
> erm. Isn't the Manifest file in each directory good enough? |
| 3 |
> Manifest.gpg can be generated at Manifest creation time, commited to cvs |
| 4 |
> and so on.. The issue isn't there, the issue is the key validation. |
| 5 |
> |
| 6 |
> The issue we fear isn't one where the ACL's are blocked. its how do we |
| 7 |
> protect each key? How do we mark a key as "good" and not, how do we |
| 8 |
> have infrastructure to do this? What about a master signing key? How do |
| 9 |
> we do that and make sure that doesn't go boom? |
| 10 |
|
| 11 |
You know that keys are good because the associated KeyID is in the ACL. The ID |
| 12 |
can't get in the ACL unless enough people, who are already in the ACL, sign |
| 13 |
the new manifest. If someone revokes their key, then the minimum number of |
| 14 |
developers have to sign the new manifest with the new ACL included. |
| 15 |
|
| 16 |
This system does not introduce a huge amount of work for a developer. |
| 17 |
Revocations - just check that the ACL has the keyId removed, sign the new |
| 18 |
manifest, and checkin the signature. Updated ebuild - sign the manifest, |
| 19 |
checkin the signature. Updated important package requiring minimum number of |
| 20 |
developers to sign a release - sign manifest, checkin signature, send email |
| 21 |
to other developers requesting they check release and do the same. |
| 22 |
|
| 23 |
In this mechanism it is not necessary to sign each others keys, or have a |
| 24 |
master key. Each developer is responsible for their own key. OpenPGP |
| 25 |
keyservers only store the public keys. Without a developers private key it |
| 26 |
would be impossible to generate a valid signature. Even if the keyserver is |
| 27 |
hacked, and a rogue public key inserted, the key will not match the KeyID in |
| 28 |
the ACL (the GPG keyid is a hash of the public key). It is not even necessary |
| 29 |
to implement key distribution - given a signature or keyId gpg can |
| 30 |
automatically fetch a public key from the openpgp keyserver network and |
| 31 |
verify that it is the correct one. The only attack that would work is to |
| 32 |
compromise enough gentoo developers private keys so as to be able to generate |
| 33 |
the minimum number of signatures for a package. |
| 34 |
|
| 35 |
-- |
| 36 |
gentoo-dev@g.o mailing list |
Archives