| 1 |
Hi! |
| 2 |
|
| 3 |
When installing from local overlay |
| 4 |
(https://wiki.gentoo.org/wiki/Overlay/Local_overlay) which I built very |
| 5 |
simply from https://github.com/deuiore/palemoon-overlay (I know I could |
| 6 |
have used layman and gone the regular way, but the reasons follow |
| 7 |
below), and then installed Pale Moon today, but without any (obvious) |
| 8 |
means to verify the git repo pulled, let alone the packs in the git |
| 9 |
object dir that downloaded in /usr/portage/distfiles/, |
| 10 |
I realized there seems not to have been developed a secure |
| 11 |
method for the end user to update the local installation. |
| 12 |
|
| 13 |
( Pls. note that the particular case with the Pale Moon overlay bears no |
| 14 |
importance in my query, or only as much as s single instance in |
| 15 |
comparison to all instances of some method applied. |
| 16 |
|
| 17 |
This is a question about verification of anything portage *via git* with |
| 18 |
respect to simple and reliable, never failing, but obsolete method of |
| 19 |
verification of portage *via webrsync*. ) |
| 20 |
|
| 21 |
I actually deliberately and kindly borrowed the title to my email from |
| 22 |
this topic: |
| 23 |
|
| 24 |
Is it safe to switch from webrsync to the git repo now? |
| 25 |
https://forums.gentoo.org/viewtopic-t-1038300.html |
| 26 |
|
| 27 |
and I can't stop wondering that nothing seems to be moving towards that |
| 28 |
direction. |
| 29 |
|
| 30 |
That topic on Gentoo Forums was started by Ant P., and seconded by, in |
| 31 |
effect only one other member of the community. Looking up the Portage & |
| 32 |
Programming subforum it was posted in, it has been viewed only, |
| 33 |
( currently at this address the numbers can be read: |
| 34 |
https://forums.gentoo.org/viewforum-f-8-topicdays-0-start-825.html ) |
| 35 |
[has been viewed] only: |
| 36 |
|
| 37 |
3159 times by the time of my writing of this (4 contributors only, Feb |
| 38 |
to Jul this year). |
| 39 |
|
| 40 |
And it's a major functionality loss, if I'm correct in my assuming that |
| 41 |
nothing has been moving in the direction of finding some way to provide |
| 42 |
that functionality. I'll be very glad if it turns out my assuming is |
| 43 |
wrong. |
| 44 |
|
| 45 |
I have been using webrsync-gpg exclusively for years. I also use my own |
| 46 |
local Gentoo mirror, and install in Air-Gapped, and clone the master |
| 47 |
Air-Gapped system onto (at least one) another same-hardware system and |
| 48 |
thn I use the clone for online. |
| 49 |
|
| 50 |
I'm construing some of the citations from that topic, into the text |
| 51 |
below as if they were emails that I reply to, which they of course are |
| 52 |
not. |
| 53 |
|
| 54 |
I'm posting here these thoughts because my itch is just no different than |
| 55 |
Ant P.'s and tholin's below. |
| 56 |
|
| 57 |
Ant P. on Tue Feb 02, 2016 1:42 pm wrote: |
| 58 |
> I've been using emerge-webrsync ever since it came to light the rsync |
| 59 |
> repo had no security whatsoever, this was before Gentoo officially |
| 60 |
> switched to git for the main tree. |
| 61 |
> ... |
| 62 |
> |
| 63 |
> But I'm unable to find one important piece of information in the docs: |
| 64 |
> the whole point of emerge-webrsync is that it checks gpg signatures |
| 65 |
> automatically for me via a FEATURES flag so I don't have to go jumping |
| 66 |
> through hoops to do it manually. What's the equivalent configuration |
| 67 |
> option to validate commit signatures in gentoo.git, or is it already |
| 68 |
> sane by default? |
| 69 |
|
| 70 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
| 71 |
> As I see it webrsync-gpg protects agains mitm attacks from the user to |
| 72 |
> the mirrors and compromised mirrors. Can git do the same? |
| 73 |
|
| 74 |
Is it really as bad as tholin in that topic states: |
| 75 |
|
| 76 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
| 77 |
> I grepped portages source to find out how it used git and I can't find |
| 78 |
> anything to indicate it verifies signatures. If git is going to verify |
| 79 |
> the commit signatures it also needs all the developer keys. Those keys |
| 80 |
> are not part of app-crypt/gentoo-keys and I can't find any other |
| 81 |
> convenient way of obtaining them. There are about 200 active |
| 82 |
> developers so you'll have to hunt for their keys like pokemons. |
| 83 |
|
| 84 |
Is it really that bad? Irreparably bad, because there is no true |
| 85 |
protection against compromised sources or/and mitm attacks? |
| 86 |
|
| 87 |
Is is really true that: |
| 88 |
|
| 89 |
tholin on Mon Jul 18, 2016 10:11 am wrote: |
| 90 |
> This only leaves the suboptimal webrsync-gpg method. |
| 91 |
and there is no way to provide to the end user an equivalent method of |
| 92 |
verification with git? |
| 93 |
|
| 94 |
Sincere regards! |
| 95 |
-- |
| 96 |
Miroslav Rovis |
| 97 |
Zagreb, Croatia |
| 98 |
http://www.CroatiaFidelis.hr |
Archives