On Monday 13 January 2003 12:27pm, Evan Powers wrote:
> On Monday 13 January 2003 05:24 am, Paul de Vrieze wrote:
> > Maybe the easiest way would be that some/all rsync mirrors would offer
> > rsync over ssl, so that the origin servers could be authenticated.
> > This would also mean some changes for clients to be able to use it.
>
> I think something does have to be done about this.
>

I agree, but FWIW, the BSDs have had unsigned ports for a long time without 
any serious issues.  How complex is this issue, really?

* gnupg must be installed for every user, and special practices will have 
to go into place to protect gnupg from tampering.  (achilles)

* a publically available web of cross-signed public keys needs to be made 
available, with the keys also available on MIT's keyserver for sanity.

* each dev signs the ebuild with his/her public key before it gets 
committed.  

> Secure rsync (via SSL or whatever) doesn't completely solve the 
> problem.

cvsup and rsync can use SSL via stunnel.  I would like to see Gentoo use 
cvsup for efficiency/bandwidth reasons instead of rsync.

Traffic encryption is only useful to minimize risk of man-in-the-middle 
attacks/dns hacks/etc... which all said and done, is rare.  IMO this 
should be the last priority.  

>
> That said, there's many ways of signing the portage tree. I advocate
> having the master rsync server automatically sign the tree as it checks
> out the CVS tree. 

Single point of failure, I don't like this idea in the sense of 
server-->clients.   That key would have to be updated constantly, and if 
it gets compromised, everything is compromised by way of assumption.

However -- I see this as being valuable in replicating the master tree to 
other mirrors, though, where the pubkeys are known only to the master and 
its mirrors.  That's if you're using rsync.

cvsup uses authentication keys to mirror.

> 2) CVS works against per-developer signing of ebuilds. Consider
> "$Version: $", etc.

We should take the CVS keywords out of the ebuilds.

> 3) Ultimately we are forced to trust CVS, so we can't realize any
> additional security from per-developer signatures.

I'm not sure that the ultimate problem is CVS... it's human beings.  If you 
don't have an account with the right keys on the CVS box, you're not doing 
updates.  It's that simple.

If people are using ssh keys without passphrases, someone can take over a 
dev's box and do all the nastiness they want to on Gentoo's CVS server.  
That's not the fault of CVS or SSH.  

[1] Dev's have to generate their keys properly, and keep their machines 
secure.
[2] Gentoo project managers need to kill off inactive developers, and 
regularly hold key-signing parties.

Having the developer sign each ebuild before a commit will minimize these 
risks.  If a dev's box is rooted -- the hacker can commit as many hacks as 
they want to the Gentoo CVS tree, but the ebuilds will not be signed, and 
consequently will be ignored on the Gentoo clients.

That is why I'm saying one key sign for the whole tree is a bad idea...

This is some good conversation...

Cheers,
Dylan Carlson [absinthe@...]

--
gentoo-dev@g.o mailing list