1 |
On Thursday 06 June 2002 01:56 pm, Alexander Holler wrote: |
2 |
> Hello, |
3 |
> |
4 |
> what do you think about signing the ebuilds and digests with gpg? |
5 |
> |
6 |
> That would make it harder for blackhats to introduce a worm or something |
7 |
> similiar (if they have got access to an rsync mirror). |
8 |
> |
9 |
> My idea is to automatically sign the released ebuilds (before mirroring |
10 |
> them) with a key of gentoo.org. |
11 |
> |
12 |
> Then emerge could check the sign and could discard wrong ebuilds or just |
13 |
> throws a warning (preferable customized with make.conf). |
14 |
|
15 |
I think it is an excellent idea, but then, that's easy for me to say since I'm |
16 |
not the one who would be burdened by the work of actually building a ring of |
17 |
trust and signing all the ebuilds. |
18 |
|
19 |
Having said that, it is clear that when new ebuilds are taken from bugzilla |
20 |
and put into the official CVS, the decision as to what goes in and what |
21 |
doesn't, and those who are allowed to commit to CVS, is a limited number of |
22 |
people. |
23 |
|
24 |
It should be reasonably manageable to create a ring of trust amongst those who |
25 |
submit and distribute ebuilds, and the security benefits would be |
26 |
significant. |
27 |
|
28 |
Unfortunately, as with most things, I suspect this will happen only AFTER |
29 |
someone slips a trojan through, as there is some amount of work in getting |
30 |
something like that setup and the developers have plenty of other things that |
31 |
are, for the moment anyway, more pressing. :-) |
32 |
|
33 |
Just like backups, almost no one develops the habit until they've been bitten |
34 |
at least once. [grin] |