On Thursday 19 February 2009, Robin H. Johnson wrote:
> On Wed, Feb 18, 2009 at 11:27:41PM +0100, Robert Buchholz wrote:
> > It'll also ease attacks on distfiles when first mirroring them.
>
> Umm, no, you missed part of what I said. I noted that the newer
> Manifests in Git would contain the hashes for ONLY the distfiles, not
> for other files. Distfiles suffer zero reduction in security.
> The master box is NEVER generating the hash for a distfile.
True, you made a different point. My argument was intended to address
the proposal (at least as far as I understood it) in the previous mail
(see cut below).
But it's a good thing we agree having DIST Manifest inside the
repository is a vital feature!
------------------------------------------------------------------------
On Wednesday 18 February 2009, Donnie Berkholz wrote:
> On 08:05 Mon 16 Feb , Maciej Mrozowski wrote:
> > Hence the question - is it possible to *not* store and .gitignore
> > Manifests is git controlled portage repository?
> > As portage metadata is regenerated, maybe it would be as well
> > possible to regenerate manifests on server?
> > I guess it would be possible but ineffective as it would require
> > all needed distfiles to be present as well and this is
> > unacceptable.
>
> Well, if you did the generation on the master mirror, this would be
> fine for the main tree. How about overlays, though?
------------------------------------------------------------------------
> > hash and (2) only one box would need to be attacked via
> > man-in-the-middle, whereas it is currently two.
>
> Your count of needing to attack two boxes presently is wrong. Just
> pick some community rsyncNN.CC.gentoo.org that also hosts distfiles
> via HTTP/FTP, and attack that box, replacing both a Manifest and the
> distfile.
The rsync attack can be avoided by using the signed tree tarballs.
The DIST hash attack can't.
Robert
|
