Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Monday 13 January 2003 05:24 am, Paul de Vrieze wrote:
> Maybe the easiest way would be that some/all rsync mirrors would offer
> rsync over ssl, so that the origin servers could be authenticated. This
> would also mean some changes for clients to be able to use it.
I think something does have to be done about this.
There was a discussion about this (which I took part in) on gentoo-user and
then the gentoo forums. For those who are interested:
http://forums.gentoo.org/viewtopic.php?t=26137
Personally, I think it's better to cryptographically sign the portage tree
somehow at the source, then distribute it in the current manner. This method
has the advantage that we need not implicitly trust the rsync mirror admins
(as we currently do) and that the tree is immune to man-in-the-middle attacks
as it is transfered between official site and mirror or between mirror and
client. Secure rsync (via SSL or whatever) doesn't completely solve the
problem.
That said, there's many ways of signing the portage tree. I advocate having
the master rsync server automatically sign the tree as it checks out the CVS
tree. There's been a lot of talk at various times about developers signing
ebuilds individually, but I'm not sure that actually gains us anything. I
also advocate building a time-dependence into the signatures. Read my forum
posts for my complete musings on the matter, but here's a summary of my
points:
1) An authentic but out-of-date tree can be just as dangerous as a inauthentic
tree.
2) CVS works against per-developer signing of ebuilds. Consider "$Version: $",
etc.
3) Ultimately we are forced to trust CVS, so we can't realize any additional
security from per-developer signatures.
I present a method for efficiently signing the portage tree at the source
while avoiding, to some extent, the race-condition type pitfalls of rsyncing
while changes are in progress, etc. Read my forum posts for details.
I don't pretend to know everything about this sort of thing, so comments are
very welcome.
Evan Powers
--
gentoo-dev@g.o mailing list
|
|
