Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: Andrew Savchenko <bircoph@g.o>
Cc: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Infra plans regarding $Id$ - official answer...
Date: Sat, 15 Aug 2015 07:53:55
Message-Id: 20150815095337.6f6f72ba.mgorny@gentoo.org
In Reply to: Re: [gentoo-dev] Infra plans regarding $Id$ - official answer... by Andrew Savchenko
1 Dnia 2015-08-15, o godz. 10:50:02
2 Andrew Savchenko <bircoph@g.o> napisał(a):
3
4 > Hi,
5 >
6 > On Fri, 14 Aug 2015 10:54:57 -0400 Rich Freeman wrote:
7 > > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand <k_f@g.o> wrote:
8 > > > They will be OpenPGP signed by a releng key during thickening and
9 > > > portage will auto-verify it using gkeys once things are in place. As
10 > > > such checksum for ebuilds and other files certainly needs to be part
11 > > > of the manifest, otherwise it can open up for malicious alterations of
12 > > > these files.
13 > > >
14 > >
15 > > As much as I'd love to see it all folded into git, the reality is also
16 > > that git signatures are only bound to files by a series of sha1
17 > > hashes, and sha1 is not a strong hash function. Git really ought to
18 > > move to sha256 at some point, preferably in a manner that makes it
19 > > expandable in the future to other hash functions. But, this isn't a
20 > > high-priority for upstream.
21 > >
22 > > The same limitation is true of any git gpg signature, including tag
23 > > signatures. It is all held together by sha1. The manifest system is
24 > > much stronger.
25 >
26 > OK, if manifests are that important, why not generate full manifest
27 > during repoman commit? If we do not tamper with $Id$, the only file
28 > outside of this manifest will be ChangeLog generated during rsync
29 > propagation. Then we have following options:
30 > - do not sing ChangeLog: even if it will be tampered, little harm
31 > can be done, since it doesn't affect live system or build process;
32 > - sign ChangeLog with releng key;
33 > - sign developer-signed manifest + ChangeLog with releng key. Thus
34 > we'll have double signature for most important files.
35
36 How about we switch back to CVS if we're going to kill git anyway? It'd
37 at least save our time wasted by these pointless discussions.
38
39 --
40 Best regards,
41 Michał Górny
42 <http://dev.gentoo.org/~mgorny/>

Replies

Subject Author
Re: [gentoo-dev] Infra plans regarding $Id$ - official answer... Andrew Savchenko <bircoph@g.o>
Report Message
Find on MARC Find on Google Groups