On Monday 13 January 2003 12:27pm, Evan Powers wrote:
> On Monday 13 January 2003 05:24 am, Paul de Vrieze wrote:
> > Maybe the easiest way would be that some/all rsync mirrors would offer
> > rsync over ssl, so that the origin servers could be authenticated.
> > This would also mean some changes for clients to be able to use it.
> I think something does have to be done about this.
I agree, but FWIW, the BSDs have had unsigned ports for a long time without
any serious issues. How complex is this issue, really?
* gnupg must be installed for every user, and special practices will have
to go into place to protect gnupg from tampering. (achilles)
* a publically available web of cross-signed public keys needs to be made
available, with the keys also available on MIT's keyserver for sanity.
* each dev signs the ebuild with his/her public key before it gets
> Secure rsync (via SSL or whatever) doesn't completely solve the
cvsup and rsync can use SSL via stunnel. I would like to see Gentoo use
cvsup for efficiency/bandwidth reasons instead of rsync.
Traffic encryption is only useful to minimize risk of man-in-the-middle
attacks/dns hacks/etc... which all said and done, is rare. IMO this
should be the last priority.
> That said, there's many ways of signing the portage tree. I advocate
> having the master rsync server automatically sign the tree as it checks
> out the CVS tree.
Single point of failure, I don't like this idea in the sense of
server-->clients. That key would have to be updated constantly, and if
it gets compromised, everything is compromised by way of assumption.
However -- I see this as being valuable in replicating the master tree to
other mirrors, though, where the pubkeys are known only to the master and
its mirrors. That's if you're using rsync.
cvsup uses authentication keys to mirror.
> 2) CVS works against per-developer signing of ebuilds. Consider
> "$Version: $", etc.
We should take the CVS keywords out of the ebuilds.
> 3) Ultimately we are forced to trust CVS, so we can't realize any
> additional security from per-developer signatures.
I'm not sure that the ultimate problem is CVS... it's human beings. If you
don't have an account with the right keys on the CVS box, you're not doing
updates. It's that simple.
If people are using ssh keys without passphrases, someone can take over a
dev's box and do all the nastiness they want to on Gentoo's CVS server.
That's not the fault of CVS or SSH.
 Dev's have to generate their keys properly, and keep their machines
 Gentoo project managers need to kill off inactive developers, and
regularly hold key-signing parties.
Having the developer sign each ebuild before a commit will minimize these
risks. If a dev's box is rooted -- the hacker can commit as many hacks as
they want to the Gentoo CVS tree, but the ebuilds will not be signed, and
consequently will be ignored on the Gentoo clients.
That is why I'm saying one key sign for the whole tree is a bad idea...
This is some good conversation...
Dylan Carlson [absinthe@...]
firstname.lastname@example.org mailing list