| 1 |
Tobias Klausmann wrote: |
| 2 |
|
| 3 |
>>cat /usr/portage/sys-apps/portage/Manifest |
| 4 |
> |
| 5 |
> This does not contain a GPG signature here. Of all packages... |
| 6 |
|
| 7 |
My /usr/portage/sys-apps/portage/Manifest does. |
| 8 |
|
| 9 |
> I've run a script across the entire tree, collecting 43 different |
| 10 |
> signature keys IDs from Manifest files in all (from a total of |
| 11 |
> 2074 signed Manifest files, making up about 1/4). Of those keys, |
| 12 |
> 16 were unavailable on the Subkeys Public Key Network (listed |
| 13 |
> below). Where can I get those? |
| 14 |
> [...] |
| 15 |
|
| 16 |
I think you get the problem. There have been threads like this one in |
| 17 |
the past (on gentoo-dev mostly), all discussing how easy signing is and |
| 18 |
why isn't it already implemented. Signing is not hard. Trusting the |
| 19 |
signature is. Having "eclasses signed" is necessary at some point. But |
| 20 |
if you can't already trust the signatures that are today in portage, |
| 21 |
it's not top priority. |
| 22 |
|
| 23 |
We are aware of the problem. We're slowly getting Gentoo package |
| 24 |
maintainers to sign their ebuilds. Next we'll have to establish the |
| 25 |
chain of trust right, from a master key published on trusted media, to |
| 26 |
published keys, to verification when using any file downloaded. Next |
| 27 |
we'll plug the remaining holes. All of this takes time, in part because |
| 28 |
portage modifications have to go slowly so that we don't just break |
| 29 |
things for our existing users. |
| 30 |
|
| 31 |
For the moment you still have to trust Gentoo rsync mirror |
| 32 |
infrastructure security. In the future we will get that weak link |
| 33 |
handled. And then we'll hurry to fix the new weakest link. |
| 34 |
|
| 35 |
Note that getting the key from a public key server won't authenticate |
| 36 |
anything. It will merely do the identification part. Anyone can submit a |
| 37 |
key with a gentoo.org address to a public key server. |
| 38 |
|
| 39 |
-- |
| 40 |
Thierry Carrez |
| 41 |
Operational Manager, Gentoo Linux Security |
Archives