1 |
Well, I was browsing around the other day checking into the "behind the |
2 |
scenes" work of gnupg and keyservers when I stumbled on this link.. |
3 |
|
4 |
|
5 |
http://www.cryptnet.net/fdp/crypto/strong_distro.html |
6 |
|
7 |
|
8 |
Could you please take the time to read this and then consider: |
9 |
|
10 |
What would be the requirements to getting this into our current system |
11 |
without breaking backwards compability? |
12 |
|
13 |
How do we do it to enforce "minimum developer effort" |
14 |
|
15 |
What other infrastructure tools would be necessary? |
16 |
|
17 |
and, how would we go about setting up a key-ring for Gentoo linux |
18 |
developers who are completely unable to meet up in large quantities? |
19 |
|
20 |
its a difficult concept and hard to do while maintaining security for |
21 |
all involved parties. |
22 |
|
23 |
|
24 |
|
25 |
What I see here as some ideas are.: |
26 |
*) gpg is included as a base dependency for the system and included on |
27 |
default bootdisks... |
28 |
|
29 |
*) gpg import is done at "rsync" and the public keyring is avaiable on |
30 |
rsync servers (better ideas people?) |
31 |
|
32 |
*) gpg hash/checksum is done on the .ebuild, tarball and patches that |
33 |
are avaiable through portage. (stored in digest) |
34 |
|
35 |
*) all developers keys are linked in a keyring. |
36 |
|
37 |
|
38 |
Now, all this is just stalling, it will be quite difficult to get all |
39 |
the complex aspects of this "safe" into portage, so this will require |
40 |
very very careful design before we start coding. having a rapid |
41 |
development language is no excuse for a crappy design solution in this |
42 |
case. |
43 |
|
44 |
Key security is always an issue and a weak point when it comes to |
45 |
developing software. acknowledged. |
46 |
|
47 |
how do we avoid infringment into the keys (unauthorized keys added?) and |
48 |
thus enabling an attacker to sign the modified ebuilds/patches and have |
49 |
them check as clean? |
50 |
|
51 |
we need to implement hashes for all patches and included files as well, |
52 |
not only for tarballs. since if the patch is applied, it doesn't matter |
53 |
if the tarball was ok, the system is flawed. |
54 |
|
55 |
we need to do all this with as little user intervention as possible. |
56 |
|
57 |
Now, this is cc'd to -dev as I think it should be in the open, its a |
58 |
proposal and the time for discussion, and a following idea discussion |
59 |
could do well in a larger community. we do have some bright minds, and |
60 |
now is the time for even those who cannot code to come with ideas and |
61 |
insights, because nothing goes into code, just yet. |
62 |
|
63 |
|
64 |
Regards, |
65 |
Spider |
66 |
|
67 |
|
68 |
|
69 |
-- |
70 |
begin .signature |
71 |
This is a .signature virus! Please copy me into your .signature! |
72 |
See Microsoft KB Article Q265230 for more information. |
73 |
end |