Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Fri, 8 Jun 2012 07:36:56 -0400
On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King <wking@...> wrote:
> When the breach is discovered, you can then isolate the dev (or devs)
> who implicitly signed the hack (2) by pulling the ToT without checking
> for a valid signature (3).  Then you yell at them for sloppy security,
> and tell them to install your signature-checking post-receive hook.

Well, if devs are supposed to do this, we should probably write this
down as a policy somewhere.  Probably wouldn't hurt if the
post-receive hook actually existed, and it was designed to only work
on the official tree otherwise everybody will just uninstall it since
people don't just pull from the official tree.

I doubt any dev checks the signatures on manifest files before they
overwrite them with a new signature.  If they did it wouldn't matter
since those signatures aren't even mandatory anyway.  Certainly it
isn't intuitive to me that when I perform a signature on changes I
make that I'm also vouching for work committed by somebody else before
me.

Process can be as effective as technology in achieving security, but
only if those processes are clear, and unintrusive enough to ensure
they are followed.  I wouldn't count on being able to yell at
developers - first it does nothing to solve the mess that you'd be in
at that point, and second you can only yell at volunteers so much.

Rich


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Michael Weber
References:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- W. Trevor King
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Git braindump: 1 of N: merging & git signing
Next by date:
Last rites: gnustep-apps/projectmanager and dependencies


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.