1 |
epistula abs te missa profluit verbis: |
2 |
> The point is that if we implement signing, a user can say, ``Well, I |
3 |
> distrust the authors of this sourceforge project'' if they wish. But if |
4 |
> we do not, they may trust the authors and yet still not be able to |
5 |
> trust the source. |
6 |
|
7 |
He wouldn't be able to trust it with signatures neither. How will he get |
8 |
the source while "trusting" the author? From a server that's "maintained" |
9 |
and announced by a DNS that's "maintained", all of them running software |
10 |
that's "maintained", with source being uploaded over "maintained" ISP |
11 |
lines, checked against "maintained" keys on "maintained" servers etc. |
12 |
etc. etc. |
13 |
|
14 |
> So the reasonable, expected behavior from portage is that the source |
15 |
> downloaded is the source it claims to be. If we do not trust the |
16 |
> original source, we needn't install the package, but if we do, we |
17 |
> should be able to trust the package implicity. Right now, we cannot |
18 |
> trust the package, even if we trust the original authors. Signing fixes |
19 |
> this problem. |
20 |
|
21 |
MD5 hashes are sufficient then, because one would have to trust "other's" |
22 |
keys, rely on their correct usage, their propper storage etc. etc. The |
23 |
"technical" sin comparing md5 hashed packages to gpg-signed packages is |
24 |
securitywise just statistical, and therefore of no use for the single |
25 |
user with respect to the total process selecting, getting, compiling and |
26 |
installing a certain package. One always got to accept a certain point of |
27 |
basic trust, agreed. But the question _here_ is: is this certain point |
28 |
more calculable and therefore more secure by using gpg-signed ebuilds? |
29 |
I'd still disagree. |
30 |
|
31 |
> Again, this is like saying that since we have not had the NSA conduct |
32 |
> background checks on each and every open source developer, we should |
33 |
> not trust their products. Well, fine, then don't install them. But if |
34 |
> you decide you trust the folks at kernel.org, or KDE, or GAIM, or |
35 |
> whatever, you should be able to trust the vanilla-sources ebuild, or |
36 |
> the kde ebuild, or the gaim ebuild. Right now, you cannot. So even when |
37 |
> one does choose to trust upstream, he cannot trust portage. That is |
38 |
> broken. |
39 |
|
40 |
Again: what is won? (In terms of CALCULABLE security gain for the |
41 |
individual user.) I would go over a bridge, as long as the sign at the |
42 |
entrance would say "up to 2 tons". But I'd eventually rather climb down, |
43 |
walk, swim (whatever), if it would say "95%". So finally: signed ebuilds |
44 |
add 0,5%. It's statistically more secure, but practically of no use |
45 |
(apart from that fluffy "security enhanced feeling" maybe). |
46 |
|
47 |
-- |
48 |
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
49 |
eMail: awaschb@××××.de |
50 |
|
51 |
The new annoyance filter is so advanced that |
52 |
some people arrive on the list pre plonked. |