1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 03/25/2011 05:44 AM, Andreas K. Huettel wrote: |
5 |
>>> * The key should be signed by some central instance for automated |
6 |
>>> validity check. |
7 |
>>> |
8 |
>>> Here things get hairy. How about having recruiter/infra team sign a dev's |
9 |
>>> key on completion of the recruitment process? Just a first thought... |
10 |
>> |
11 |
>> I think this is an important requirement however it's quite difficult |
12 |
>> to conduct reliably. A normal keysigning process usually requires |
13 |
>> knowing one personally (and perhaps verifying fingerprints over a |
14 |
>> phone with voice verification), seeing one's ID personally and the |
15 |
>> like. This is probably unfeasible in the Gentoo development |
16 |
>> environment (I'm not a dev, though, so I'm just guessing). |
17 |
> |
18 |
> Well, as long as the signed UID is the specific "Gentoo address UID", this |
19 |
> should be no problem, since... |
20 |
> |
21 |
> * the signature proves the key belongs to the e-mail address, nothing else |
22 |
> * the e-mail address is given to the owner of the key during recruitment |
23 |
> |
24 |
> Meaning nobody is certifying something that he/she does not know already by |
25 |
> definition. |
26 |
> |
27 |
> Please point out any thinkos... :) |
28 |
> |
29 |
|
30 |
This is 100% correct. We are not attempting to verify identity. Whether |
31 |
or not my name is Dane Smith is a moot point. All that matters is that I |
32 |
am the person that the Gentoo recruiters granted access to. |
33 |
|
34 |
I cannot stress how important some of this is. It's bad if a binary |
35 |
distro doesn't sign their code, but in some ways it's even worse for us. |
36 |
An ebuild can do most anything. If someone were to want to insert some |
37 |
nastiness into say, openssl, all they have to do is hijack an rsync |
38 |
mirror, insert their patch, change the ebuild a smidge, and run and |
39 |
hide. And no one would be any the wiser. The only difference is that |
40 |
unlike a binary distro where a user can't verify anything (easily), at |
41 |
least one of ours can always look at the ebuilds / patches. |
42 |
|
43 |
(Not to mention they could also hack their nastiness into the openssl |
44 |
tarball, change the manifest, and then run and hide. Same effect, no |
45 |
notice at the ebuild level.) |
46 |
|
47 |
For those who got bored at line two it all comes down to: |
48 |
|
49 |
Sign. Your. STUFF! |
50 |
|
51 |
Your friendly neighborhood paranoid, |
52 |
|
53 |
- -- |
54 |
Dane Smith (c1pher) |
55 |
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 |
56 |
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index |
57 |
-----BEGIN PGP SIGNATURE----- |
58 |
Version: GnuPG v2.0.17 (GNU/Linux) |
59 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
60 |
|
61 |
iQIcBAEBAgAGBQJNjIAtAAoJEEsurZwMLhUxVFAP/3aXbJb+00wM95Dht/aBT31S |
62 |
vjsjODbx7/9IL5nxdVumDH6+M21pfa7e0xx1aFsUNvjJNl1jSfH44nsvvjRSkGKq |
63 |
b8bliwpG++wnQ18Gll1J48XTawLCPKh5HKCQWoRmQPwk7oEkVxXmph/V5/S8PdvL |
64 |
Y9HM7niA6TeIKtdDjtd/AqgdIizDlrU8a4ovdxrt4MdhPoBSs4CT5BUQszgOEWah |
65 |
LW/nt/Ir3bL2aML60QBmoxapbCBYSrpn0cqBoBCvOhgTzWWOpAamBV21HxBhiAnE |
66 |
EzAXYAm8IJH4HWwQp4ar0e/TCo7/mty3mx/lspAFuX4fOXwVgfCS53wtpT7nKvoA |
67 |
Homy0Q1ZnVMU/bXP5tdvszzPcfRoqfvjO4qU8MlqvlHLKf/RF1Om3kJRYONKTYxo |
68 |
EDtrT093kRNwI2s3RrrWyJ14Kj6QsKAylsO9KbD5+h+xH/LG1+uWpxxtm0S88A// |
69 |
qSkU/kP1TRJW7+PxYiodBu5rlqcW+v6JK+jXwTecz96QVrYvsBq6QTBvHODpsxlI |
70 |
CFBePa23LEbPqq+vnQSrSLXrbeqV9nw4vgvMiU9PHbiWuPDks37xh4mtQY0u/5C9 |
71 |
R4U7VG1sQ0yZQSH0I9HP8v6ZNz99xdyH+VDDJzIvBGdpif1CPyGA4DNmhfvmzpaC |
72 |
0zqc8QcUe5rJRV5N2zmb |
73 |
=T/Hi |
74 |
-----END PGP SIGNATURE----- |