1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
Peter Simons wrote: |
9 |
| This problem has nothing to do with trusted or untrusted |
10 |
| code, it is about data integrity. Or, more accurately, about |
11 |
| _lack_ thereof. |
12 |
|
13 |
Security is always about trust. You have to trust someone or something. |
14 |
Data, keys, servers, admins, protocols, passwords, algorithms, something... |
15 |
|
16 |
|
17 |
| > (1) the server has not been compromised |
18 |
| |
19 |
| How do I very this? Is there a list of SHA1 hashes of all |
20 |
| files /usr/portage is supposed to contain? |
21 |
|
22 |
Where would you store that list? In a trusted server? Would you trust |
23 |
the server admin of that server? |
24 |
|
25 |
|
26 |
| > (3) the server operator is trustworthy |
27 |
| > (4) the person that originally created the software is trustworthy |
28 |
| > (5) the server operator's are sufficiently skilled to protect the |
29 |
software |
30 |
| > (6) the person that originally created the software is suffciently |
31 |
skilled |
32 |
| > to protect it |
33 |
| |
34 |
| None of these points are relevant for the problem we are |
35 |
| talking about. If Gentoo provides proper means of |
36 |
| authenticating the data I receive from the mirror, I don't |
37 |
| _need_ to trust the mirror's operator. |
38 |
|
39 |
You need to trust the operator of the authentication server... |
40 |
|
41 |
|
42 |
| > However, none of those issues is specific to Gentoo or |
43 |
| > Open Source as a whole. |
44 |
| |
45 |
| The fact that other projects have the same problem doesn't |
46 |
| mean that the problem shouldn't be fixed in Gentoo. |
47 |
|
48 |
Agreed! This issue is important. |
49 |
|
50 |
|
51 |
| > IMO the purely technical issues have been solved mostly. |
52 |
| > However, those are smallest and least important part. |
53 |
| |
54 |
| So how long will it (approximately) take until this problem |
55 |
| is fixed? |
56 |
|
57 |
Well... I guess until someone comes up with a solution! Not the problem! |
58 |
The problem is already known. Gentoo is based on the comunity. The |
59 |
comunity has to come up with solutions. Not wait for highly payd |
60 |
developers to solve everything like in some known corporations. At least |
61 |
~ this is how I see Gentoo. Maybe I'm wrong... |
62 |
|
63 |
|
64 |
Alex's ideia looks interesting: |
65 |
| Just a question : could it be a good idea to move md5 on another server |
66 |
| or to do 'emerge sync' asking for files on server A and digest files on |
67 |
| server B where server B is any server in gentoo rsync rollover but not |
68 |
| server A... |
69 |
| |
70 |
| Then, person have to compromise server A and server B to get his hack |
71 |
| working... |
72 |
| |
73 |
| Hope this help |
74 |
| |
75 |
| Cheers |
76 |
|
77 |
Redundancy could be a way to mitigate this problem. It wont solve it thou... |
78 |
|
79 |
|
80 |
|
81 |
- --- |
82 |
Rui Covelo |
83 |
|
84 |
|
85 |
|
86 |
|
87 |
-----BEGIN PGP SIGNATURE----- |
88 |
Version: GnuPG v1.2.6 (GNU/Linux) |
89 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
90 |
|
91 |
iD8DBQFBjkMQfLPhlaxNQk0RAvogAJ4o8042MBgvnqsp525orqXMfOn5/ACfR2Nb |
92 |
5VmAOoUrvQAIRqmvg5khvB0= |
93 |
=5aGG |
94 |
-----END PGP SIGNATURE----- |
95 |
|
96 |
-- |
97 |
gentoo-security@g.o mailing list |