Archives
Archives
| From: | "Robin H. Johnson" <robbat2@g.o> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Individual developer signing | ||
| Date: | Thu, 03 Dec 2009 22:16:31 | ||
| Message-Id: | robbat2-20091203T195018-687281547Z@orbis-terrarum.net | ||
| In Reply to: | [gentoo-dev] Individual developer signing by Torsten Veller |
||
| 1 | On Thu, Dec 03, 2009 at 11:32:42AM +0100, Torsten Veller wrote: |
| 2 | > * "Robin H. Johnson" <robbat2@g.o>: |
| 3 | > > The GLEP on Individual developer signing has not made it into a Draft |
| 4 | > > yet. |
| 5 | > > |
| 6 | > > But you can view the very brief version here: |
| 7 | > > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup |
| 8 | > |
| 9 | > [...] |
| 10 | > |
| 11 | > > > 2. Every developer signs everything 100% of the time (make it a QA |
| 12 | > > > check). |
| 13 | > > +1 on this. |
| 14 | > |
| 15 | > In the GLEPs i missed the point where the signatures of Manifests are verified. |
| 16 | > Only the MetaManifest gets verified. |
| 17 | GLEP58: |
| 18 | under "Procedure for verifying an item in the MetaManifest" |
| 19 | 4.2: "M2-verifying the contents of the Manifest." |
| 20 | |
| 21 | Where "M2-verify" is the verb describing the verification of a Manifest. |
| 22 | It _may_ include signature validation. |
| 23 | |
| 24 | > So what's the advantage of individually signed Manifests? |
| 25 | Basically making sure that your SSH keys weren't stolen. |
| 26 | They explicitly protect the commit from the developer to infrastructure. |
| 27 | |
| 28 | MetaManifest protects the integrity of the contents from infrastructure |
| 29 | out to the user. It does NOT validate the functionality of the tree or |
| 30 | any prior injection. |
| 31 | |
| 32 | > The only thing we can check: Is the key used for signing listed in ldap |
| 33 | > (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap |
| 34 | > really mine? |
| 35 | > Do I miss anything? |
| 36 | Later on I'd like to REJECT unsigned commits. |
| 37 | |
| 38 | > BTW: About a third of the Manifests are signed [1]. We didn't improve |
| 39 | > since 2005/2006 [2]. The two parties are working hard against each other [3]. |
| 40 | > 55 Manifests are signed by revoked keys [4]. |
| 41 | > [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png |
| 42 | > [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png |
| 43 | > [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png |
| 44 | > [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt |
| 45 | Nice graphs. Can you show them over a larger timespan? |
| 46 | |
| 47 | -- |
| 48 | Robin Hugh Johnson |
| 49 | Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 50 | E-Mail : robbat2@g.o |
| 51 | GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
| Subject | Author |
|---|---|
| [gentoo-dev] Re: Individual developer signing | Torsten Veller <ml-en@××××××.net> |
