From: | "Robin H. Johnson" <robbat2@g.o> | ||
---|---|---|---|
To: | gentoo-dev@l.g.o | ||
Subject: | Re: [gentoo-dev] Individual developer signing | ||
Date: | Thu, 03 Dec 2009 22:16:31 | ||
Message-Id: | robbat2-20091203T195018-687281547Z@orbis-terrarum.net | ||
In Reply to: | [gentoo-dev] Individual developer signing by Torsten Veller |
1 | On Thu, Dec 03, 2009 at 11:32:42AM +0100, Torsten Veller wrote: |
2 | > * "Robin H. Johnson" <robbat2@g.o>: |
3 | > > The GLEP on Individual developer signing has not made it into a Draft |
4 | > > yet. |
5 | > > |
6 | > > But you can view the very brief version here: |
7 | > > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup |
8 | > |
9 | > [...] |
10 | > |
11 | > > > 2. Every developer signs everything 100% of the time (make it a QA |
12 | > > > check). |
13 | > > +1 on this. |
14 | > |
15 | > In the GLEPs i missed the point where the signatures of Manifests are verified. |
16 | > Only the MetaManifest gets verified. |
17 | GLEP58: |
18 | under "Procedure for verifying an item in the MetaManifest" |
19 | 4.2: "M2-verifying the contents of the Manifest." |
20 | |
21 | Where "M2-verify" is the verb describing the verification of a Manifest. |
22 | It _may_ include signature validation. |
23 | |
24 | > So what's the advantage of individually signed Manifests? |
25 | Basically making sure that your SSH keys weren't stolen. |
26 | They explicitly protect the commit from the developer to infrastructure. |
27 | |
28 | MetaManifest protects the integrity of the contents from infrastructure |
29 | out to the user. It does NOT validate the functionality of the tree or |
30 | any prior injection. |
31 | |
32 | > The only thing we can check: Is the key used for signing listed in ldap |
33 | > (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap |
34 | > really mine? |
35 | > Do I miss anything? |
36 | Later on I'd like to REJECT unsigned commits. |
37 | |
38 | > BTW: About a third of the Manifests are signed [1]. We didn't improve |
39 | > since 2005/2006 [2]. The two parties are working hard against each other [3]. |
40 | > 55 Manifests are signed by revoked keys [4]. |
41 | > [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png |
42 | > [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png |
43 | > [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png |
44 | > [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt |
45 | Nice graphs. Can you show them over a larger timespan? |
46 | |
47 | -- |
48 | Robin Hugh Johnson |
49 | Gentoo Linux: Developer, Trustee & Infrastructure Lead |
50 | E-Mail : robbat2@g.o |
51 | GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Subject | Author |
---|---|
[gentoo-dev] Re: Individual developer signing | Torsten Veller <ml-en@××××××.net> |