1 |
On Sun, May 01, 2011 at 03:33:25PM -0700, Brian Harring wrote: |
2 |
> On Sun, May 01, 2011 at 10:08:31PM +0100, Markos Chandras wrote: |
3 |
> > Since most ( if not all ) of us use the same message on the Changelog |
4 |
> > and on the commit log, it probably worth the effort of having the rsync |
5 |
> > servers create the Changelogs before populate the portage tree. Having |
6 |
> > the servers do that, will also allow us to provide cut down Changelogs |
7 |
> > ( lets say keep that last 10 entries ) so we can provide a more minimal |
8 |
> > portage tree, size wise. A huge portage tree might not be a problem for |
9 |
> > most of us but it sure is for embedded and all kind of similar systems. |
10 |
> |
11 |
> This opens up a bit of nastyness; either the service would have to |
12 |
> resign all manifests (which defeats a fair bit of the signing intent), |
13 |
> or ChangeLog's would have to pulled in full from cvs, generated |
14 |
> strictly server side (else manifest will have stale chksums for it), |
15 |
> and ChangeLog will have to exist outside of all validation. |
16 |
> |
17 |
> So... either resigning everywhere for regen, or having no validation |
18 |
> asserted on the ChangeLog- meaning certain men in the middle have a |
19 |
> nice area to inject some unfriendly things for anyone who happens to |
20 |
> read it. |
21 |
> |
22 |
> ~harring |
23 |
> |
24 |
|
25 |
Thats a fair point but the way I see it we need to make a balanced |
26 |
choice. Obviously is not feasible to have the rsync servers |
27 |
resign everything. This would require having all the gpg keys on the rsync |
28 |
servers, fetch the developer's name from the last cvs commit and use his |
29 |
key to resign it. It doesn't look that smart to me. |
30 |
Leaving Changelogs unprotected might be a bit of a trouble but it |
31 |
certainly is not that big a deal. Nothing serious can happen if someone |
32 |
hijacks a plain text file. |
33 |
In case people want to ensure |
34 |
end-to-end point integrity, we can use a separate GPG key for the rsync |
35 |
server. However, this will make our GPG keys useless, and having a |
36 |
single key to sing 10.000 Manifest files does not look good either. |
37 |
|
38 |
Regards, |
39 |
-- |
40 |
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2 |