1 |
On Thursday 25 March 2004 09:39, Paul de Vrieze wrote: |
2 |
|
3 |
> I have a number of questions: |
4 |
> - - How do you know that I didn't just create a new ACL file (maybe for a |
5 |
> new package) and signed it myself, and used it to give myself access to |
6 |
> this package and add malicious code. |
7 |
|
8 |
You need to be in the ACL at /usr/portage/pkg-parent-dir to create the new |
9 |
package. To update an ACL, the new ACL has to be signed by people in the old |
10 |
ACL. |
11 |
|
12 |
> - - How do you propose all those ACL's get created. Especially as we don't |
13 |
> want to limit who may commit where. In some cases it is actually |
14 |
> essential that certain parties (managers) perform fast commits on a |
15 |
> package they are not normally involved with. |
16 |
|
17 |
This is a management issue. Decide who is responsible for different parts of |
18 |
the tree. If you allow everyone to commit anywhere then you are heading for |
19 |
trouble - would you give someone you only know through irc root access to |
20 |
your pc? Thats effectively what you're doing. Every new developer adds a new |
21 |
point of compromise; there have to be some restrictions. |
22 |
|
23 |
> The current IMPLEMENTED system is even less work for developers. An |
24 |
> update just requires signing the manifest. This is done automatically by |
25 |
> repoman so it just means one needs to enter his passphrase (or use |
26 |
> gpg-agent) |
27 |
|
28 |
Same here, everything can be automated with scripts. |
29 |
|
30 |
> > In this mechanism it is not necessary to sign each others keys, or |
31 |
> > have a master key. Each developer is responsible for their own key. |
32 |
> > OpenPGP keyservers only store the public keys. Without a developers |
33 |
> > private key it would be impossible to generate a valid signature. Even |
34 |
> > if the keyserver is hacked, and a rogue public key inserted, the key |
35 |
> > will not match the KeyID in the ACL (the GPG keyid is a hash of the |
36 |
> > public key). It is not even necessary to implement key distribution - |
37 |
> > given a signature or keyId gpg can automatically fetch a public key |
38 |
> > from the openpgp keyserver network and verify that it is the correct |
39 |
> > one. The only attack that would work is to compromise enough gentoo |
40 |
> > developers private keys so as to be able to generate the minimum |
41 |
> > number of signatures for a package. |
42 |
> |
43 |
> This approach still relies on minimum signatures being bigger than 1. |
44 |
> While that would work for ACL's this will currently not work for |
45 |
> manifests. It would put alternative architectures to a grinding halt and |
46 |
> seriously limit the possibilities of the x86 development. |
47 |
|
48 |
Unpopular packages may only require one signature, but surely something that |
49 |
would compromise every user (like glibc) should require multiple signatures? |
50 |
If you really need it add a FEATURES flag to ignore signatures. Obviously |
51 |
normal users should never set it. I'm not sure why you think it wouldn't work |
52 |
for manifests; its just a file. |
53 |
|
54 |
> Paul |
55 |
> |
56 |
> ps. Based on one public key on a single trusted source (A CD), how do you |
57 |
> ensure that the whole tree is uncompromised. |
58 |
|
59 |
You can't. Its an old tree which has already been signed. Trust it, or update |
60 |
to a new tree. |
61 |
|
62 |
> pps. How do you ensure that at a compromise of a key / or a rogue |
63 |
> developer this key is invalidated even when revocation is not possible |
64 |
> (like with a rogue developer) |
65 |
|
66 |
Remove the key from the ACL. |
67 |
|
68 |
-- |
69 |
gentoo-dev@g.o mailing list |