| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Wednesday 24 March 2004 01:09, Chris Bainbridge wrote: |
| 5 |
> I think the idea of a central key controlling everything is bad - this |
| 6 |
> means one person is ultimately responsible for the portage tree, and |
| 7 |
> compromising this will allow access to everything. It would be better |
| 8 |
> if every gentoo developer had a gpg key. Each package in the portage |
| 9 |
> tree would then have a .gpg file which lists signatures for the |
| 10 |
> package digest which contains hashes of each ebuild, files/*, and |
| 11 |
> downloaded distfiles, and a permissions section listing who has access |
| 12 |
> to make modifications to this dir (such as writing new ebuilds). |
| 13 |
> People who already have access to a package are then free to grant |
| 14 |
> access to others merely by inserting their public key into this file. |
| 15 |
> emerge sync would have to be modified so that it checks signatures |
| 16 |
> before files are updated. |
| 17 |
|
| 18 |
We have a master key that does nothing but sign a more shortlived |
| 19 |
"signing" key. This signing key which is also highly restricted is only |
| 20 |
used to list which keys are acceptable to sign packages. Every dev will |
| 21 |
still have his own key (and only access to this key). |
| 22 |
|
| 23 |
Changing emerge sync is not really an option. There are two problems with |
| 24 |
your idea: |
| 25 |
- - How do I know that the permissions file is actually valid as it is |
| 26 |
self-signed. |
| 27 |
- - It seriously expands the tree. |
| 28 |
- - We currently don't want a package based security level. |
| 29 |
|
| 30 |
> Important packages may require multiple signatures before a file is |
| 31 |
> installed - this is to eliminate the possibility that a compromise of |
| 32 |
> a single gentoo developer will hand root access to every gentoo |
| 33 |
> installed system. At the moment, every developer is a point of cvs |
| 34 |
> write access from which an attacker could root many gentoo |
| 35 |
> installations. |
| 36 |
|
| 37 |
A compromise of any ebuild is able to do that so package based security |
| 38 |
will not solve much of this problem. |
| 39 |
|
| 40 |
> The key downloads, checking, revocation etc. would be handled by the |
| 41 |
> existing gpg keyserver infrastructure (eg. keyserver.net). There is no |
| 42 |
> need for an all powerful gentoo key, or even distribution system. |
| 43 |
> Simply have emerge call gpg to do everything. |
| 44 |
|
| 45 |
That's not really possible. For one signing a key in gpg means that you |
| 46 |
verified that this person is who he says he is. The keychain does not |
| 47 |
have such a meaning it means: the person belonging to this key is |
| 48 |
allowed to approve packages in the tree. That does not guarantee that |
| 49 |
the person is who he says he is, except that we are confident this |
| 50 |
person is a gentoo developer (he has access to gentoo cvs etc). |
| 51 |
|
| 52 |
Also the gpg infrastructure does not provide any way to say who is |
| 53 |
actually allowed to sign packages, it just enables to identify who |
| 54 |
signed it, and it enables people to say I signed it as I can sign |
| 55 |
something which can be decoded with the same public key. |
| 56 |
|
| 57 |
> This only really requires changes to the emerge sync process and a |
| 58 |
> developer script to check, sign, and post changes. Everything else can |
| 59 |
> be handed off to gpg. It would also enable some more exciting |
| 60 |
> distribution methods like RSS channels listing new signed files in |
| 61 |
> portage along with a p2p backend to fetch them, automatic security |
| 62 |
> updates, etc. |
| 63 |
|
| 64 |
p2p and rss are completely independent of the signing problem and signing |
| 65 |
does not enable or disable the use of these systems. |
| 66 |
|
| 67 |
Paul |
| 68 |
|
| 69 |
- -- |
| 70 |
Paul de Vrieze |
| 71 |
Gentoo Developer |
| 72 |
Mail: pauldv@g.o |
| 73 |
Homepage: http://www.devrieze.net |
| 74 |
-----BEGIN PGP SIGNATURE----- |
| 75 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 76 |
|
| 77 |
iD8DBQFAYWk4bKx5DBjWFdsRAoReAJ9/zIwAekxYhcbBmi7y3Iasx3XfnQCgqLI9 |
| 78 |
5eYehXbC9nlrkzqefQJh+Bk= |
| 79 |
=gH/a |
| 80 |
-----END PGP SIGNATURE----- |
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-dev@g.o mailing list |
Archives