On Sun, 7 Nov 2004 12:01:35 -0500
Chris Frey <cdfrey@...> wrote:
> You don't. But that's like saying there's no point in closing the front
> door since the bedroom window might be open. If the front door is
> closed and locked, then at least we can pay more attention to the open
But you have not achieved more security. That is the point. If a
distributor promises package integrity through signatures, they are
lying. It is like showing of the locked front door without mentioning the
open bedroom window.
OTOH: If you are responsible for the front door's security, you should
close it, of course. This is why Gentoo *should* use signatures.
However, it is wrong to excpect or even promise a great improvement in
security through this measure.
> Plus, the glibc ebuild maintainer should be tracking the changes. He
> knows what's going on in glibc land, he knows the build process, he
> should be in touch with the main developers, and he should be reading
> the diffs.
This might work for glibc (Don't know, really.). But it certainly won't
work for many other packages. All the developer can do here is trust the
guy at the bedroom window - just to stay with that example.
> If he doesn't have the time or skill to do that, he can at least compare
> against the work of people who do, such as the source packages of Debian
> or Fedora Core. It is pretty easy to do a diff.
And Debian will compare against Gentoo, while Redhat compares gainst Suse,
who in turn...
My point being: Manipulations can be subtle, escpecially if they are
carefully planned. Many eys are necessary to spot them. Manipulations at a
low-level (a projects CVS-server) could easily propagate to many distros.
So it comes down to either check for yourself or trust the upstream
developers and their signatures and checksums.
If you use signatures to verify a package, you have to understand exactly
what guarantees are given.
This is exactly one thing:
The package or ebuild is identical to the version the Gentoo developer
signed, provided that his workstation has not been compromised.
Nothing else is guaranteed.
The reason signing still makes sense is numbers and probability. There are
only few developer machines, they are mostly unknown to attackers and are
hopefully not used as servers.
rsync mirrors, otoh, are many, well known and constantly exposed to the
firstname.lastname@example.org mailing list