| 1 |
Andrew Muraco posted <43C49047.5070302@×××××××××.com>, excerpted below, |
| 2 |
on Tue, 10 Jan 2006 23:57:43 -0500: |
| 3 |
|
| 4 |
> The method described here would also open up the oppurtunity for "fake" |
| 5 |
> enterprise trees, without having something to double check that the tree |
| 6 |
> that we have is indeed the one that is wanted, it would be possible for a |
| 7 |
> hacked rsync server (or a bogus one) to host the enterprise (stable) trees |
| 8 |
> with extra ebuilds which could compromise security (/me thinks of emails |
| 9 |
> warning about Microsoft's patchs and links which point to infectious |
| 10 |
> websites.) |
| 11 |
|
| 12 |
Remember, portage already has a decent amount of signed content |
| 13 |
verification builtin, and is getting more. Just because it's not |
| 14 |
currently used, as the debate on strength and keyring handling hasn't been |
| 15 |
settled, doesn't mean the capacity doesn't exist. |
| 16 |
|
| 17 |
At this point it should be possible to develop a working enterprise |
| 18 |
security model along with the enterprise proposal and tree. Spec it out, |
| 19 |
put the keys in a special dir on a read-only mounted partition, and it'll |
| 20 |
be pretty hard to fake it on the fly, at least. |
| 21 |
|
| 22 |
IOW, while it's certainly an issue that needs to be addressed, I'd |
| 23 |
consider it no worse than anything else on the list, and probably |
| 24 |
relatively minor compared to some of the other hurdles to be cleared on |
| 25 |
the way to a decent enterprise Gentoo. I believe the biggest hurdles |
| 26 |
will be finding the folks to do it and coordinating them to actually get |
| 27 |
and keep it going. |
| 28 |
|
| 29 |
-- |
| 30 |
Duncan - List replies preferred. No HTML msgs. |
| 31 |
"Every nonfree program has a lord, a master -- |
| 32 |
and if you use the program, he is your master." Richard Stallman in |
| 33 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
| 34 |
|
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-dev@g.o mailing list |
Archives