| 1 |
On Sun, May 01, 2011 at 03:33:25PM -0700, Brian Harring wrote: |
| 2 |
> On Sun, May 01, 2011 at 10:08:31PM +0100, Markos Chandras wrote: |
| 3 |
> > Since most ( if not all ) of us use the same message on the Changelog |
| 4 |
> > and on the commit log, it probably worth the effort of having the rsync |
| 5 |
> > servers create the Changelogs before populate the portage tree. Having |
| 6 |
> > the servers do that, will also allow us to provide cut down Changelogs |
| 7 |
> > ( lets say keep that last 10 entries ) so we can provide a more minimal |
| 8 |
> > portage tree, size wise. A huge portage tree might not be a problem for |
| 9 |
> > most of us but it sure is for embedded and all kind of similar systems. |
| 10 |
> |
| 11 |
> This opens up a bit of nastyness; either the service would have to |
| 12 |
> resign all manifests (which defeats a fair bit of the signing intent), |
| 13 |
> or ChangeLog's would have to pulled in full from cvs, generated |
| 14 |
> strictly server side (else manifest will have stale chksums for it), |
| 15 |
> and ChangeLog will have to exist outside of all validation. |
| 16 |
> |
| 17 |
> So... either resigning everywhere for regen, or having no validation |
| 18 |
> asserted on the ChangeLog- meaning certain men in the middle have a |
| 19 |
> nice area to inject some unfriendly things for anyone who happens to |
| 20 |
> read it. |
| 21 |
> |
| 22 |
> ~harring |
| 23 |
> |
| 24 |
|
| 25 |
Thats a fair point but the way I see it we need to make a balanced |
| 26 |
choice. Obviously is not feasible to have the rsync servers |
| 27 |
resign everything. This would require having all the gpg keys on the rsync |
| 28 |
servers, fetch the developer's name from the last cvs commit and use his |
| 29 |
key to resign it. It doesn't look that smart to me. |
| 30 |
Leaving Changelogs unprotected might be a bit of a trouble but it |
| 31 |
certainly is not that big a deal. Nothing serious can happen if someone |
| 32 |
hijacks a plain text file. |
| 33 |
In case people want to ensure |
| 34 |
end-to-end point integrity, we can use a separate GPG key for the rsync |
| 35 |
server. However, this will make our GPG keys useless, and having a |
| 36 |
single key to sing 10.000 Manifest files does not look good either. |
| 37 |
|
| 38 |
Regards, |
| 39 |
-- |
| 40 |
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2 |
Archives