| 1 |
On Thursday 19 February 2009, Robin H. Johnson wrote: |
| 2 |
> On Wed, Feb 18, 2009 at 11:27:41PM +0100, Robert Buchholz wrote: |
| 3 |
> > It'll also ease attacks on distfiles when first mirroring them. |
| 4 |
> |
| 5 |
> Umm, no, you missed part of what I said. I noted that the newer |
| 6 |
> Manifests in Git would contain the hashes for ONLY the distfiles, not |
| 7 |
> for other files. Distfiles suffer zero reduction in security. |
| 8 |
> The master box is NEVER generating the hash for a distfile. |
| 9 |
|
| 10 |
True, you made a different point. My argument was intended to address |
| 11 |
the proposal (at least as far as I understood it) in the previous mail |
| 12 |
(see cut below). |
| 13 |
But it's a good thing we agree having DIST Manifest inside the |
| 14 |
repository is a vital feature! |
| 15 |
|
| 16 |
------------------------------------------------------------------------ |
| 17 |
On Wednesday 18 February 2009, Donnie Berkholz wrote: |
| 18 |
> On 08:05 Mon 16 Feb , Maciej Mrozowski wrote: |
| 19 |
> > Hence the question - is it possible to *not* store and .gitignore |
| 20 |
> > Manifests is git controlled portage repository? |
| 21 |
> > As portage metadata is regenerated, maybe it would be as well |
| 22 |
> > possible to regenerate manifests on server? |
| 23 |
> > I guess it would be possible but ineffective as it would require |
| 24 |
> > all needed distfiles to be present as well and this is |
| 25 |
> > unacceptable. |
| 26 |
> |
| 27 |
> Well, if you did the generation on the master mirror, this would be |
| 28 |
> fine for the main tree. How about overlays, though? |
| 29 |
------------------------------------------------------------------------ |
| 30 |
|
| 31 |
|
| 32 |
> > hash and (2) only one box would need to be attacked via |
| 33 |
> > man-in-the-middle, whereas it is currently two. |
| 34 |
> |
| 35 |
> Your count of needing to attack two boxes presently is wrong. Just |
| 36 |
> pick some community rsyncNN.CC.gentoo.org that also hosts distfiles |
| 37 |
> via HTTP/FTP, and attack that box, replacing both a Manifest and the |
| 38 |
> distfile. |
| 39 |
|
| 40 |
The rsync attack can be avoided by using the signed tree tarballs. |
| 41 |
The DIST hash attack can't. |
| 42 |
|
| 43 |
|
| 44 |
Robert |
Archives