| 1 |
* Chris Bainbridge (C.J.Bainbridge@×××××.uk) wrote: |
| 2 |
> Date: Thu, 25 Mar 2004 14:27:40 +0000 |
| 3 |
> From: Chris Bainbridge <C.J.Bainbridge@×××××.uk> |
| 4 |
> To: gentoo-dev@l.g.o |
| 5 |
> User-Agent: KMail/1.6.1 |
| 6 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
| 7 |
> Subject: Re: [gentoo-dev] 2004.1 will not include a secure portage. |
| 8 |
> |
| 9 |
|
| 10 |
<snip> |
| 11 |
> > As it is possible to have an approach that does offer such security, this |
| 12 |
> > solution is inferior. |
| 13 |
> |
| 14 |
> You have an old copy of a signed tree. Without updating it is impossible to |
| 15 |
> ensure that a compromise has not been discovered since then. Your solution is |
| 16 |
> the same in this respect. |
| 17 |
> |
| 18 |
|
| 19 |
well if you move key verification into (or in addition to) the build process and make it aware of key servers. Invalidate a key on the keyserver and portage can refuse to build anything signed by DevX(or key X) or under pauls proposal a whole tree could be deemed untrusted. |
| 20 |
|
| 21 |
just by allowing a check on emerge to verify your local keyring is still fresh etc. this doesn't require a new tree, and would work for ppl that are periodically online etc. Keyring maintenance would have to be a tool outside of portage altogether tho. |
| 22 |
|
| 23 |
|
| 24 |
<rant> |
| 25 |
I would love to see it so that if ppl who are running prod servers want to verify against 3 public sources all sigs they could and its all built in. this would outpace every other oss distro out there in terms of package security. If they only want packages that have had a few devs look @ them they can set that as well. If joe-user doesnt give a dam he can turn all paranoia checks off. It's keeping with the "gentoo way" IMHO. |
| 26 |
</rant> |
| 27 |
|
| 28 |
/me sleeps |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-dev@g.o mailing list |
Archives