Ed Grimm said:
> On Tue, 17 Feb 2004, Brian Klauss wrote:
>> What I don't understand then is the problem with security of ebuilds.
>> If we can validate that the MD5 hash is consistent with the published
>> hash, then the package would be considered secure and case is
>> effectively closed?
> And how do you know the published hash? Are there not entities in the
> datastream that could alter both the file you download and the MD5 that
> you download? Especially if, as I think I've seen, emerge gets the MD5
> hash from the same source as it gets the source packages. However, even
> in the case of multiple mirrors, either the primary FTP server could've
> been cracked, or the datastream could be hijacked at the local ISP,
> inserting an altered datasream for each file.
> Using a PGP/GPG signature would reduce the questions of trust down to
> 'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the
> PGP signature'. Right now, we're also having to trust the primary FTP
> server, our local mirror, and all the net in between them and us,
> including our ISP, as they're all placed such that they could substitute
> alternate versions of both files, and we'd be none the wiser. Some
> people believe that is perfectly acceptable. Others do not.
> One could use an X509 sig instead of a PGP sig, although my impression
> is that fewer people are familiar with those. On the other hand, they
> do have a more refined chain of trust (at least, if you go with an
> existing CA rather than your own.)
I tend to agree with this point. So far extreme vigilance on the part of
the gentoo admins protected us from a potential problem when there was
previously a breakin. But in the long run, PGP or some similar
alternative would be a whole lot safer.
The really big issue is getting that kind of infrastructure in place. Do
we have each gentoo dev sign the files he/she is responsible for? I think
we can dismiss the possibility of using one key to sign everything. Maybe
a key for each software group would be feasible?
firstname.lastname@example.org mailing list