| 1 |
On Mon, Jul 2, 2018 at 6:02 PM R0b0t1 <r030t1@×××××.com> wrote: |
| 2 |
> Signed hashes should be faster, no? Each directory with files could |
| 3 |
> have a manifest. |
| 4 |
|
| 5 |
Signatures work over hashes of data, anyway. I think what you're |
| 6 |
wondering, though, is the granularity of each signature? I'd recommend |
| 7 |
this be done on the per-file level, since we wouldn't want gentoo devs |
| 8 |
signing files in a directory they haven't actually inspected. For |
| 9 |
example, eclasses. |
| 10 |
|
| 11 |
> |
| 12 |
> > - Ensure the naming scheme of portage files is sufficiently strict, so |
| 13 |
> > that renaming or re-parenting signed files doesn't result in RCE. [*] |
| 14 |
> > - Distribute said .asc files with rsync per usual. |
| 15 |
> |
| 16 |
> Rsync would work with this setup, but there is also webrsync-gpg in |
| 17 |
> Portage right now. This covers the vast majority of usecases right |
| 18 |
> now. |
| 19 |
|
| 20 |
Not sure whether you've missed the point or if you're responding to |
| 21 |
something slightly different, but it's worth noting that both rsync |
| 22 |
and webrsync-gpg right now check against infra signatures, rather than |
| 23 |
developer signatures, and this is a big problem. |
Archives