1 |
On Mon, Jul 2, 2018 at 6:02 PM R0b0t1 <r030t1@×××××.com> wrote: |
2 |
> Signed hashes should be faster, no? Each directory with files could |
3 |
> have a manifest. |
4 |
|
5 |
Signatures work over hashes of data, anyway. I think what you're |
6 |
wondering, though, is the granularity of each signature? I'd recommend |
7 |
this be done on the per-file level, since we wouldn't want gentoo devs |
8 |
signing files in a directory they haven't actually inspected. For |
9 |
example, eclasses. |
10 |
|
11 |
> |
12 |
> > - Ensure the naming scheme of portage files is sufficiently strict, so |
13 |
> > that renaming or re-parenting signed files doesn't result in RCE. [*] |
14 |
> > - Distribute said .asc files with rsync per usual. |
15 |
> |
16 |
> Rsync would work with this setup, but there is also webrsync-gpg in |
17 |
> Portage right now. This covers the vast majority of usecases right |
18 |
> now. |
19 |
|
20 |
Not sure whether you've missed the point or if you're responding to |
21 |
something slightly different, but it's worth noting that both rsync |
22 |
and webrsync-gpg right now check against infra signatures, rather than |
23 |
developer signatures, and this is a big problem. |