| 1 |
epistula abs te missa profluit verbis: |
| 2 |
> The point is that if we implement signing, a user can say, ``Well, I |
| 3 |
> distrust the authors of this sourceforge project'' if they wish. But if |
| 4 |
> we do not, they may trust the authors and yet still not be able to |
| 5 |
> trust the source. |
| 6 |
|
| 7 |
He wouldn't be able to trust it with signatures neither. How will he get |
| 8 |
the source while "trusting" the author? From a server that's "maintained" |
| 9 |
and announced by a DNS that's "maintained", all of them running software |
| 10 |
that's "maintained", with source being uploaded over "maintained" ISP |
| 11 |
lines, checked against "maintained" keys on "maintained" servers etc. |
| 12 |
etc. etc. |
| 13 |
|
| 14 |
> So the reasonable, expected behavior from portage is that the source |
| 15 |
> downloaded is the source it claims to be. If we do not trust the |
| 16 |
> original source, we needn't install the package, but if we do, we |
| 17 |
> should be able to trust the package implicity. Right now, we cannot |
| 18 |
> trust the package, even if we trust the original authors. Signing fixes |
| 19 |
> this problem. |
| 20 |
|
| 21 |
MD5 hashes are sufficient then, because one would have to trust "other's" |
| 22 |
keys, rely on their correct usage, their propper storage etc. etc. The |
| 23 |
"technical" sin comparing md5 hashed packages to gpg-signed packages is |
| 24 |
securitywise just statistical, and therefore of no use for the single |
| 25 |
user with respect to the total process selecting, getting, compiling and |
| 26 |
installing a certain package. One always got to accept a certain point of |
| 27 |
basic trust, agreed. But the question _here_ is: is this certain point |
| 28 |
more calculable and therefore more secure by using gpg-signed ebuilds? |
| 29 |
I'd still disagree. |
| 30 |
|
| 31 |
> Again, this is like saying that since we have not had the NSA conduct |
| 32 |
> background checks on each and every open source developer, we should |
| 33 |
> not trust their products. Well, fine, then don't install them. But if |
| 34 |
> you decide you trust the folks at kernel.org, or KDE, or GAIM, or |
| 35 |
> whatever, you should be able to trust the vanilla-sources ebuild, or |
| 36 |
> the kde ebuild, or the gaim ebuild. Right now, you cannot. So even when |
| 37 |
> one does choose to trust upstream, he cannot trust portage. That is |
| 38 |
> broken. |
| 39 |
|
| 40 |
Again: what is won? (In terms of CALCULABLE security gain for the |
| 41 |
individual user.) I would go over a bridge, as long as the sign at the |
| 42 |
entrance would say "up to 2 tons". But I'd eventually rather climb down, |
| 43 |
walk, swim (whatever), if it would say "95%". So finally: signed ebuilds |
| 44 |
add 0,5%. It's statistically more secure, but practically of no use |
| 45 |
(apart from that fluffy "security enhanced feeling" maybe). |
| 46 |
|
| 47 |
-- |
| 48 |
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
| 49 |
eMail: awaschb@××××.de |
| 50 |
|
| 51 |
The new annoyance filter is so advanced that |
| 52 |
some people arrive on the list pre plonked. |
Archives