1 |
Hi! |
2 |
|
3 |
When installing from local overlay |
4 |
(https://wiki.gentoo.org/wiki/Overlay/Local_overlay) which I built very |
5 |
simply from https://github.com/deuiore/palemoon-overlay (I know I could |
6 |
have used layman and gone the regular way, but the reasons follow |
7 |
below), and then installed Pale Moon today, but without any (obvious) |
8 |
means to verify the git repo pulled, let alone the packs in the git |
9 |
object dir that downloaded in /usr/portage/distfiles/, |
10 |
I realized there seems not to have been developed a secure |
11 |
method for the end user to update the local installation. |
12 |
|
13 |
( Pls. note that the particular case with the Pale Moon overlay bears no |
14 |
importance in my query, or only as much as s single instance in |
15 |
comparison to all instances of some method applied. |
16 |
|
17 |
This is a question about verification of anything portage *via git* with |
18 |
respect to simple and reliable, never failing, but obsolete method of |
19 |
verification of portage *via webrsync*. ) |
20 |
|
21 |
I actually deliberately and kindly borrowed the title to my email from |
22 |
this topic: |
23 |
|
24 |
Is it safe to switch from webrsync to the git repo now? |
25 |
https://forums.gentoo.org/viewtopic-t-1038300.html |
26 |
|
27 |
and I can't stop wondering that nothing seems to be moving towards that |
28 |
direction. |
29 |
|
30 |
That topic on Gentoo Forums was started by Ant P., and seconded by, in |
31 |
effect only one other member of the community. Looking up the Portage & |
32 |
Programming subforum it was posted in, it has been viewed only, |
33 |
( currently at this address the numbers can be read: |
34 |
https://forums.gentoo.org/viewforum-f-8-topicdays-0-start-825.html ) |
35 |
[has been viewed] only: |
36 |
|
37 |
3159 times by the time of my writing of this (4 contributors only, Feb |
38 |
to Jul this year). |
39 |
|
40 |
And it's a major functionality loss, if I'm correct in my assuming that |
41 |
nothing has been moving in the direction of finding some way to provide |
42 |
that functionality. I'll be very glad if it turns out my assuming is |
43 |
wrong. |
44 |
|
45 |
I have been using webrsync-gpg exclusively for years. I also use my own |
46 |
local Gentoo mirror, and install in Air-Gapped, and clone the master |
47 |
Air-Gapped system onto (at least one) another same-hardware system and |
48 |
thn I use the clone for online. |
49 |
|
50 |
I'm construing some of the citations from that topic, into the text |
51 |
below as if they were emails that I reply to, which they of course are |
52 |
not. |
53 |
|
54 |
I'm posting here these thoughts because my itch is just no different than |
55 |
Ant P.'s and tholin's below. |
56 |
|
57 |
Ant P. on Tue Feb 02, 2016 1:42 pm wrote: |
58 |
> I've been using emerge-webrsync ever since it came to light the rsync |
59 |
> repo had no security whatsoever, this was before Gentoo officially |
60 |
> switched to git for the main tree. |
61 |
> ... |
62 |
> |
63 |
> But I'm unable to find one important piece of information in the docs: |
64 |
> the whole point of emerge-webrsync is that it checks gpg signatures |
65 |
> automatically for me via a FEATURES flag so I don't have to go jumping |
66 |
> through hoops to do it manually. What's the equivalent configuration |
67 |
> option to validate commit signatures in gentoo.git, or is it already |
68 |
> sane by default? |
69 |
|
70 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
71 |
> As I see it webrsync-gpg protects agains mitm attacks from the user to |
72 |
> the mirrors and compromised mirrors. Can git do the same? |
73 |
|
74 |
Is it really as bad as tholin in that topic states: |
75 |
|
76 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
77 |
> I grepped portages source to find out how it used git and I can't find |
78 |
> anything to indicate it verifies signatures. If git is going to verify |
79 |
> the commit signatures it also needs all the developer keys. Those keys |
80 |
> are not part of app-crypt/gentoo-keys and I can't find any other |
81 |
> convenient way of obtaining them. There are about 200 active |
82 |
> developers so you'll have to hunt for their keys like pokemons. |
83 |
|
84 |
Is it really that bad? Irreparably bad, because there is no true |
85 |
protection against compromised sources or/and mitm attacks? |
86 |
|
87 |
Is is really true that: |
88 |
|
89 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
90 |
> This only leaves the suboptimal webrsync-gpg method. |
91 |
and there is no way to provide to the end user an equivalent method of |
92 |
verification with git? |
93 |
|
94 |
Sincere regards! |
95 |
-- |
96 |
Miroslav Rovis |
97 |
Zagreb, Croatia |
98 |
http://www.CroatiaFidelis.hr |