Gentoo Archives: gentoo-dev

From: Kurt Lieber <klieber@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] 2004.1 will not include a secure portage.
Date: Tue, 23 Mar 2004 10:07:47
Message-Id: 20040323100824.GV26101@mail.lieber.org
Today, John informed me that we will still have an insecure implementation
of Portage in 2004.1 due to a lack of effort and commitment towards solving
this problem.

We have been talking about GPG-signed packages in portage for almost
exactly one year now.[1]  Yet, we have not delivered on our promises to our
user base.  Just today, we had a user ask how she can verify the integrity
of packages she downloads.[2]  I can't give her any good answer because the
answer is she can't.

Looking at the roadmap for portage, I was horrified to discover it's not
even listed on that page.[3]  Have we all forgotten that we had an rsync
server compromised just a few months ago?[4]

Daniel, Pieter -- you are both listed as the TLP managers for Portage.  Can
you please articulate if/how/when you plan to implement GPG signing in
Portage?  

--kurt

[1] http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml#doc_chap1_sect3
    http://www.gentoo.org/news/en/gwn/20030421-newsletter.xml#doc_chap1_sect2
[2] http://marc.theaimsgroup.com/?l=gentoo-security&m=108003431908752&w=2
[3] http://www.gentoo.org/proj/en/portage/
[4] http://www.gentoo.org/news/en/gwn/20031208-newsletter.xml#doc_chap1_sec3

----- Forwarded message from John Davis <zhen@g.o> -----

- GPG signed ebuilds: I'm not directly working on it but I'm indirectly
involved, and this is most likely not production ready for 2004.1.
The main outstanding issues: we still don't have a key policy (where
should we store the keys, how do we ensure they are trustworthy) and
signing of auxiliary files (eclasses and other non-package dirs). These
issues have to be solved before we can a) implement the verification
code and b) make signing the default behavior in repoman (it's
implemented but disabled by default).
And if repoman signs packages you still have to re-commit or update a
package before it is signed, so this will also take a lot of time before
the majority of the tree is signed (unless we do mass-commits).
So while the feature itself might be completed for 2004.1 (or more
likely 2004.2) I wouldn't announce it until the majority of our packages
are signed.

------------------------------------------------------------------

Replies