| 1 |
On Fri, Mar 25, 2011 at 7:28 PM, Mike Frysinger <vapier@g.o> wrote: |
| 2 |
> On Fri, Mar 25, 2011 at 2:57 PM, Dane Smith wrote: |
| 3 |
>> On 03/25/2011 02:46 PM, Mike Frysinger wrote: |
| 4 |
>>> On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote: |
| 5 |
>>>> Of course now we can add additional requirements: |
| 6 |
>>>> |
| 7 |
>>>> * The key must have an userid that refers to an official Gentoo e-mail |
| 8 |
>>>> address. E.g. dilfridge@g.o |
| 9 |
>>> |
| 10 |
>>> no. there's no reason for this requirement, and it prevents proxy |
| 11 |
>>> maintenance long term. e-mail addresses do not verify identity, |
| 12 |
>>> verifying identify verifies identity. this is the point of the web of |
| 13 |
>>> trust. |
| 14 |
>> |
| 15 |
>> We are somewhat limited in the amount that we can verify "identity." |
| 16 |
>> Sure you can get a decent web of trust from signing the keys of people |
| 17 |
>> you've met at conferences, however, there will be people outside of that |
| 18 |
>> web. |
| 19 |
> |
| 20 |
> creating one "tree key" which signs all developer keys listed in LDAP |
| 21 |
> is trivial to do |
| 22 |
> |
| 23 |
>> What we need to verify is rather that the person who made the |
| 24 |
>> commit is someone who is authorized to make the commit and that it was |
| 25 |
>> in no way tampered with. |
| 26 |
> |
| 27 |
> you're validating only that the machine with access to the private |
| 28 |
> keys pushed up the commit. hopefully the only person with said |
| 29 |
> machine is the one we recruited. |
| 30 |
> -mike |
| 31 |
> |
| 32 |
> |
| 33 |
|
| 34 |
Coming back around to the earlier discussion of Alice who has her key |
| 35 |
signed by robbat2 (because he loves keysigning parties) and then Alice |
| 36 |
breaks into cvs.gentoo.org and commits evil code into the tree. If we |
| 37 |
cannot stop this attack because we are relying on a chain of trust |
| 38 |
(and Alice is in the chain) can we at least detect the attack? |
| 39 |
|
| 40 |
As it appears to me; I am much more likely to somehow manipulate the |
| 41 |
chain in trust in an incorrect way (such as at a keysigning hibjib) as |
| 42 |
opposed to adding some random strangers key to a master list on |
| 43 |
dev.gentoo.org or in LDAP. The former action is essentially an |
| 44 |
innocent act with non-obvious (to me) repercussions and the latter is |
| 45 |
an act with really only one intent. |
| 46 |
|
| 47 |
I don't care about GPG at all. I hate it. I don't want to know how |
| 48 |
it works and I don't want developers who are in the same boat as me to |
| 49 |
fuck it up because they don't know what they are doing. I don't have |
| 50 |
commit-bit to gentoo-x86 so I don't have a big stake in this ;) |
Archives