1 |
On 20/05/06, Peter <pete4abw@×××××××.net> wrote: |
2 |
> PMFJI, but as a user, not a security expert, I had a few thoughts that I'd |
3 |
> like to throw in. Thanks to Patrick, he helped me to drill down some of |
4 |
> the ideas and I present them for consideration. It's just a framework, so |
5 |
> I will be brief |
6 |
|
7 |
Thanks for your input. From a security point of view your scheme is |
8 |
fine, but as pointed out by others you won't be able to selectively |
9 |
rsync parts of the tree. That will require a signature for each |
10 |
manifest, and a manifest for every directory. The problem I see is |
11 |
that the manifest is going to have to include a hash for each |
12 |
subdirectory - otherwise you open the possibility of someone replacing |
13 |
a directory with one from the past that contains some known |
14 |
insecurity, or corrupting the tree by swapping random directories, and |
15 |
yet the signatures remain valid. Of course, that hash changes if you |
16 |
allow people to rsync_exclude directories, and hence the signature |
17 |
changes. So you can either accept that if you selectively rsync then |
18 |
you won't be able to verify the signed tree, or accept that there is a |
19 |
known security problem with having no signed link between parent and |
20 |
child directories, or come up with a different scheme. |
21 |
|
22 |
Obviously the manifests also have to be checked to make sure they're |
23 |
valid - this is currently done for package directories at emerge time, |
24 |
it would need to be extended to all other directories. I'd prefer the |
25 |
checks done at sync time since that's a one time cost and you don't |
26 |
have to figure out exactly what files will be used by each emerge |
27 |
operation. |
28 |
|
29 |
-- |
30 |
gentoo-dev@g.o mailing list |