| 1 |
Well, I was browsing around the other day checking into the "behind the |
| 2 |
scenes" work of gnupg and keyservers when I stumbled on this link.. |
| 3 |
|
| 4 |
|
| 5 |
http://www.cryptnet.net/fdp/crypto/strong_distro.html |
| 6 |
|
| 7 |
|
| 8 |
Could you please take the time to read this and then consider: |
| 9 |
|
| 10 |
What would be the requirements to getting this into our current system |
| 11 |
without breaking backwards compability? |
| 12 |
|
| 13 |
How do we do it to enforce "minimum developer effort" |
| 14 |
|
| 15 |
What other infrastructure tools would be necessary? |
| 16 |
|
| 17 |
and, how would we go about setting up a key-ring for Gentoo linux |
| 18 |
developers who are completely unable to meet up in large quantities? |
| 19 |
|
| 20 |
its a difficult concept and hard to do while maintaining security for |
| 21 |
all involved parties. |
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
What I see here as some ideas are.: |
| 26 |
*) gpg is included as a base dependency for the system and included on |
| 27 |
default bootdisks... |
| 28 |
|
| 29 |
*) gpg import is done at "rsync" and the public keyring is avaiable on |
| 30 |
rsync servers (better ideas people?) |
| 31 |
|
| 32 |
*) gpg hash/checksum is done on the .ebuild, tarball and patches that |
| 33 |
are avaiable through portage. (stored in digest) |
| 34 |
|
| 35 |
*) all developers keys are linked in a keyring. |
| 36 |
|
| 37 |
|
| 38 |
Now, all this is just stalling, it will be quite difficult to get all |
| 39 |
the complex aspects of this "safe" into portage, so this will require |
| 40 |
very very careful design before we start coding. having a rapid |
| 41 |
development language is no excuse for a crappy design solution in this |
| 42 |
case. |
| 43 |
|
| 44 |
Key security is always an issue and a weak point when it comes to |
| 45 |
developing software. acknowledged. |
| 46 |
|
| 47 |
how do we avoid infringment into the keys (unauthorized keys added?) and |
| 48 |
thus enabling an attacker to sign the modified ebuilds/patches and have |
| 49 |
them check as clean? |
| 50 |
|
| 51 |
we need to implement hashes for all patches and included files as well, |
| 52 |
not only for tarballs. since if the patch is applied, it doesn't matter |
| 53 |
if the tarball was ok, the system is flawed. |
| 54 |
|
| 55 |
we need to do all this with as little user intervention as possible. |
| 56 |
|
| 57 |
Now, this is cc'd to -dev as I think it should be in the open, its a |
| 58 |
proposal and the time for discussion, and a following idea discussion |
| 59 |
could do well in a larger community. we do have some bright minds, and |
| 60 |
now is the time for even those who cannot code to come with ideas and |
| 61 |
insights, because nothing goes into code, just yet. |
| 62 |
|
| 63 |
|
| 64 |
Regards, |
| 65 |
Spider |
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
-- |
| 70 |
begin .signature |
| 71 |
This is a .signature virus! Please copy me into your .signature! |
| 72 |
See Microsoft KB Article Q265230 for more information. |
| 73 |
end |
Archives