| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 03/25/2011 05:44 AM, Andreas K. Huettel wrote: |
| 5 |
>>> * The key should be signed by some central instance for automated |
| 6 |
>>> validity check. |
| 7 |
>>> |
| 8 |
>>> Here things get hairy. How about having recruiter/infra team sign a dev's |
| 9 |
>>> key on completion of the recruitment process? Just a first thought... |
| 10 |
>> |
| 11 |
>> I think this is an important requirement however it's quite difficult |
| 12 |
>> to conduct reliably. A normal keysigning process usually requires |
| 13 |
>> knowing one personally (and perhaps verifying fingerprints over a |
| 14 |
>> phone with voice verification), seeing one's ID personally and the |
| 15 |
>> like. This is probably unfeasible in the Gentoo development |
| 16 |
>> environment (I'm not a dev, though, so I'm just guessing). |
| 17 |
> |
| 18 |
> Well, as long as the signed UID is the specific "Gentoo address UID", this |
| 19 |
> should be no problem, since... |
| 20 |
> |
| 21 |
> * the signature proves the key belongs to the e-mail address, nothing else |
| 22 |
> * the e-mail address is given to the owner of the key during recruitment |
| 23 |
> |
| 24 |
> Meaning nobody is certifying something that he/she does not know already by |
| 25 |
> definition. |
| 26 |
> |
| 27 |
> Please point out any thinkos... :) |
| 28 |
> |
| 29 |
|
| 30 |
This is 100% correct. We are not attempting to verify identity. Whether |
| 31 |
or not my name is Dane Smith is a moot point. All that matters is that I |
| 32 |
am the person that the Gentoo recruiters granted access to. |
| 33 |
|
| 34 |
I cannot stress how important some of this is. It's bad if a binary |
| 35 |
distro doesn't sign their code, but in some ways it's even worse for us. |
| 36 |
An ebuild can do most anything. If someone were to want to insert some |
| 37 |
nastiness into say, openssl, all they have to do is hijack an rsync |
| 38 |
mirror, insert their patch, change the ebuild a smidge, and run and |
| 39 |
hide. And no one would be any the wiser. The only difference is that |
| 40 |
unlike a binary distro where a user can't verify anything (easily), at |
| 41 |
least one of ours can always look at the ebuilds / patches. |
| 42 |
|
| 43 |
(Not to mention they could also hack their nastiness into the openssl |
| 44 |
tarball, change the manifest, and then run and hide. Same effect, no |
| 45 |
notice at the ebuild level.) |
| 46 |
|
| 47 |
For those who got bored at line two it all comes down to: |
| 48 |
|
| 49 |
Sign. Your. STUFF! |
| 50 |
|
| 51 |
Your friendly neighborhood paranoid, |
| 52 |
|
| 53 |
- -- |
| 54 |
Dane Smith (c1pher) |
| 55 |
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 |
| 56 |
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index |
| 57 |
-----BEGIN PGP SIGNATURE----- |
| 58 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 59 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 60 |
|
| 61 |
iQIcBAEBAgAGBQJNjIAtAAoJEEsurZwMLhUxVFAP/3aXbJb+00wM95Dht/aBT31S |
| 62 |
vjsjODbx7/9IL5nxdVumDH6+M21pfa7e0xx1aFsUNvjJNl1jSfH44nsvvjRSkGKq |
| 63 |
b8bliwpG++wnQ18Gll1J48XTawLCPKh5HKCQWoRmQPwk7oEkVxXmph/V5/S8PdvL |
| 64 |
Y9HM7niA6TeIKtdDjtd/AqgdIizDlrU8a4ovdxrt4MdhPoBSs4CT5BUQszgOEWah |
| 65 |
LW/nt/Ir3bL2aML60QBmoxapbCBYSrpn0cqBoBCvOhgTzWWOpAamBV21HxBhiAnE |
| 66 |
EzAXYAm8IJH4HWwQp4ar0e/TCo7/mty3mx/lspAFuX4fOXwVgfCS53wtpT7nKvoA |
| 67 |
Homy0Q1ZnVMU/bXP5tdvszzPcfRoqfvjO4qU8MlqvlHLKf/RF1Om3kJRYONKTYxo |
| 68 |
EDtrT093kRNwI2s3RrrWyJ14Kj6QsKAylsO9KbD5+h+xH/LG1+uWpxxtm0S88A// |
| 69 |
qSkU/kP1TRJW7+PxYiodBu5rlqcW+v6JK+jXwTecz96QVrYvsBq6QTBvHODpsxlI |
| 70 |
CFBePa23LEbPqq+vnQSrSLXrbeqV9nw4vgvMiU9PHbiWuPDks37xh4mtQY0u/5C9 |
| 71 |
R4U7VG1sQ0yZQSH0I9HP8v6ZNz99xdyH+VDDJzIvBGdpif1CPyGA4DNmhfvmzpaC |
| 72 |
0zqc8QcUe5rJRV5N2zmb |
| 73 |
=T/Hi |
| 74 |
-----END PGP SIGNATURE----- |
Archives