1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Wednesday 24 March 2004 01:09, Chris Bainbridge wrote: |
5 |
> I think the idea of a central key controlling everything is bad - this |
6 |
> means one person is ultimately responsible for the portage tree, and |
7 |
> compromising this will allow access to everything. It would be better |
8 |
> if every gentoo developer had a gpg key. Each package in the portage |
9 |
> tree would then have a .gpg file which lists signatures for the |
10 |
> package digest which contains hashes of each ebuild, files/*, and |
11 |
> downloaded distfiles, and a permissions section listing who has access |
12 |
> to make modifications to this dir (such as writing new ebuilds). |
13 |
> People who already have access to a package are then free to grant |
14 |
> access to others merely by inserting their public key into this file. |
15 |
> emerge sync would have to be modified so that it checks signatures |
16 |
> before files are updated. |
17 |
|
18 |
We have a master key that does nothing but sign a more shortlived |
19 |
"signing" key. This signing key which is also highly restricted is only |
20 |
used to list which keys are acceptable to sign packages. Every dev will |
21 |
still have his own key (and only access to this key). |
22 |
|
23 |
Changing emerge sync is not really an option. There are two problems with |
24 |
your idea: |
25 |
- - How do I know that the permissions file is actually valid as it is |
26 |
self-signed. |
27 |
- - It seriously expands the tree. |
28 |
- - We currently don't want a package based security level. |
29 |
|
30 |
> Important packages may require multiple signatures before a file is |
31 |
> installed - this is to eliminate the possibility that a compromise of |
32 |
> a single gentoo developer will hand root access to every gentoo |
33 |
> installed system. At the moment, every developer is a point of cvs |
34 |
> write access from which an attacker could root many gentoo |
35 |
> installations. |
36 |
|
37 |
A compromise of any ebuild is able to do that so package based security |
38 |
will not solve much of this problem. |
39 |
|
40 |
> The key downloads, checking, revocation etc. would be handled by the |
41 |
> existing gpg keyserver infrastructure (eg. keyserver.net). There is no |
42 |
> need for an all powerful gentoo key, or even distribution system. |
43 |
> Simply have emerge call gpg to do everything. |
44 |
|
45 |
That's not really possible. For one signing a key in gpg means that you |
46 |
verified that this person is who he says he is. The keychain does not |
47 |
have such a meaning it means: the person belonging to this key is |
48 |
allowed to approve packages in the tree. That does not guarantee that |
49 |
the person is who he says he is, except that we are confident this |
50 |
person is a gentoo developer (he has access to gentoo cvs etc). |
51 |
|
52 |
Also the gpg infrastructure does not provide any way to say who is |
53 |
actually allowed to sign packages, it just enables to identify who |
54 |
signed it, and it enables people to say I signed it as I can sign |
55 |
something which can be decoded with the same public key. |
56 |
|
57 |
> This only really requires changes to the emerge sync process and a |
58 |
> developer script to check, sign, and post changes. Everything else can |
59 |
> be handed off to gpg. It would also enable some more exciting |
60 |
> distribution methods like RSS channels listing new signed files in |
61 |
> portage along with a p2p backend to fetch them, automatic security |
62 |
> updates, etc. |
63 |
|
64 |
p2p and rss are completely independent of the signing problem and signing |
65 |
does not enable or disable the use of these systems. |
66 |
|
67 |
Paul |
68 |
|
69 |
- -- |
70 |
Paul de Vrieze |
71 |
Gentoo Developer |
72 |
Mail: pauldv@g.o |
73 |
Homepage: http://www.devrieze.net |
74 |
-----BEGIN PGP SIGNATURE----- |
75 |
Version: GnuPG v1.2.4 (GNU/Linux) |
76 |
|
77 |
iD8DBQFAYWk4bKx5DBjWFdsRAoReAJ9/zIwAekxYhcbBmi7y3Iasx3XfnQCgqLI9 |
78 |
5eYehXbC9nlrkzqefQJh+Bk= |
79 |
=gH/a |
80 |
-----END PGP SIGNATURE----- |
81 |
|
82 |
-- |
83 |
gentoo-dev@g.o mailing list |