| 1 |
On Thursday 25 March 2004 09:39, Paul de Vrieze wrote: |
| 2 |
|
| 3 |
> I have a number of questions: |
| 4 |
> - - How do you know that I didn't just create a new ACL file (maybe for a |
| 5 |
> new package) and signed it myself, and used it to give myself access to |
| 6 |
> this package and add malicious code. |
| 7 |
|
| 8 |
You need to be in the ACL at /usr/portage/pkg-parent-dir to create the new |
| 9 |
package. To update an ACL, the new ACL has to be signed by people in the old |
| 10 |
ACL. |
| 11 |
|
| 12 |
> - - How do you propose all those ACL's get created. Especially as we don't |
| 13 |
> want to limit who may commit where. In some cases it is actually |
| 14 |
> essential that certain parties (managers) perform fast commits on a |
| 15 |
> package they are not normally involved with. |
| 16 |
|
| 17 |
This is a management issue. Decide who is responsible for different parts of |
| 18 |
the tree. If you allow everyone to commit anywhere then you are heading for |
| 19 |
trouble - would you give someone you only know through irc root access to |
| 20 |
your pc? Thats effectively what you're doing. Every new developer adds a new |
| 21 |
point of compromise; there have to be some restrictions. |
| 22 |
|
| 23 |
> The current IMPLEMENTED system is even less work for developers. An |
| 24 |
> update just requires signing the manifest. This is done automatically by |
| 25 |
> repoman so it just means one needs to enter his passphrase (or use |
| 26 |
> gpg-agent) |
| 27 |
|
| 28 |
Same here, everything can be automated with scripts. |
| 29 |
|
| 30 |
> > In this mechanism it is not necessary to sign each others keys, or |
| 31 |
> > have a master key. Each developer is responsible for their own key. |
| 32 |
> > OpenPGP keyservers only store the public keys. Without a developers |
| 33 |
> > private key it would be impossible to generate a valid signature. Even |
| 34 |
> > if the keyserver is hacked, and a rogue public key inserted, the key |
| 35 |
> > will not match the KeyID in the ACL (the GPG keyid is a hash of the |
| 36 |
> > public key). It is not even necessary to implement key distribution - |
| 37 |
> > given a signature or keyId gpg can automatically fetch a public key |
| 38 |
> > from the openpgp keyserver network and verify that it is the correct |
| 39 |
> > one. The only attack that would work is to compromise enough gentoo |
| 40 |
> > developers private keys so as to be able to generate the minimum |
| 41 |
> > number of signatures for a package. |
| 42 |
> |
| 43 |
> This approach still relies on minimum signatures being bigger than 1. |
| 44 |
> While that would work for ACL's this will currently not work for |
| 45 |
> manifests. It would put alternative architectures to a grinding halt and |
| 46 |
> seriously limit the possibilities of the x86 development. |
| 47 |
|
| 48 |
Unpopular packages may only require one signature, but surely something that |
| 49 |
would compromise every user (like glibc) should require multiple signatures? |
| 50 |
If you really need it add a FEATURES flag to ignore signatures. Obviously |
| 51 |
normal users should never set it. I'm not sure why you think it wouldn't work |
| 52 |
for manifests; its just a file. |
| 53 |
|
| 54 |
> Paul |
| 55 |
> |
| 56 |
> ps. Based on one public key on a single trusted source (A CD), how do you |
| 57 |
> ensure that the whole tree is uncompromised. |
| 58 |
|
| 59 |
You can't. Its an old tree which has already been signed. Trust it, or update |
| 60 |
to a new tree. |
| 61 |
|
| 62 |
> pps. How do you ensure that at a compromise of a key / or a rogue |
| 63 |
> developer this key is invalidated even when revocation is not possible |
| 64 |
> (like with a rogue developer) |
| 65 |
|
| 66 |
Remove the key from the ACL. |
| 67 |
|
| 68 |
-- |
| 69 |
gentoo-dev@g.o mailing list |
Archives