1 |
On Thursday 19 February 2009, Robin H. Johnson wrote: |
2 |
> On Wed, Feb 18, 2009 at 11:27:41PM +0100, Robert Buchholz wrote: |
3 |
> > It'll also ease attacks on distfiles when first mirroring them. |
4 |
> |
5 |
> Umm, no, you missed part of what I said. I noted that the newer |
6 |
> Manifests in Git would contain the hashes for ONLY the distfiles, not |
7 |
> for other files. Distfiles suffer zero reduction in security. |
8 |
> The master box is NEVER generating the hash for a distfile. |
9 |
|
10 |
True, you made a different point. My argument was intended to address |
11 |
the proposal (at least as far as I understood it) in the previous mail |
12 |
(see cut below). |
13 |
But it's a good thing we agree having DIST Manifest inside the |
14 |
repository is a vital feature! |
15 |
|
16 |
------------------------------------------------------------------------ |
17 |
On Wednesday 18 February 2009, Donnie Berkholz wrote: |
18 |
> On 08:05 Mon 16 Feb , Maciej Mrozowski wrote: |
19 |
> > Hence the question - is it possible to *not* store and .gitignore |
20 |
> > Manifests is git controlled portage repository? |
21 |
> > As portage metadata is regenerated, maybe it would be as well |
22 |
> > possible to regenerate manifests on server? |
23 |
> > I guess it would be possible but ineffective as it would require |
24 |
> > all needed distfiles to be present as well and this is |
25 |
> > unacceptable. |
26 |
> |
27 |
> Well, if you did the generation on the master mirror, this would be |
28 |
> fine for the main tree. How about overlays, though? |
29 |
------------------------------------------------------------------------ |
30 |
|
31 |
|
32 |
> > hash and (2) only one box would need to be attacked via |
33 |
> > man-in-the-middle, whereas it is currently two. |
34 |
> |
35 |
> Your count of needing to attack two boxes presently is wrong. Just |
36 |
> pick some community rsyncNN.CC.gentoo.org that also hosts distfiles |
37 |
> via HTTP/FTP, and attack that box, replacing both a Manifest and the |
38 |
> distfile. |
39 |
|
40 |
The rsync attack can be avoided by using the signed tree tarballs. |
41 |
The DIST hash attack can't. |
42 |
|
43 |
|
44 |
Robert |