1 |
On Fri, Mar 25, 2011 at 7:28 PM, Mike Frysinger <vapier@g.o> wrote: |
2 |
> On Fri, Mar 25, 2011 at 2:57 PM, Dane Smith wrote: |
3 |
>> On 03/25/2011 02:46 PM, Mike Frysinger wrote: |
4 |
>>> On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote: |
5 |
>>>> Of course now we can add additional requirements: |
6 |
>>>> |
7 |
>>>> * The key must have an userid that refers to an official Gentoo e-mail |
8 |
>>>> address. E.g. dilfridge@g.o |
9 |
>>> |
10 |
>>> no. there's no reason for this requirement, and it prevents proxy |
11 |
>>> maintenance long term. e-mail addresses do not verify identity, |
12 |
>>> verifying identify verifies identity. this is the point of the web of |
13 |
>>> trust. |
14 |
>> |
15 |
>> We are somewhat limited in the amount that we can verify "identity." |
16 |
>> Sure you can get a decent web of trust from signing the keys of people |
17 |
>> you've met at conferences, however, there will be people outside of that |
18 |
>> web. |
19 |
> |
20 |
> creating one "tree key" which signs all developer keys listed in LDAP |
21 |
> is trivial to do |
22 |
> |
23 |
>> What we need to verify is rather that the person who made the |
24 |
>> commit is someone who is authorized to make the commit and that it was |
25 |
>> in no way tampered with. |
26 |
> |
27 |
> you're validating only that the machine with access to the private |
28 |
> keys pushed up the commit. hopefully the only person with said |
29 |
> machine is the one we recruited. |
30 |
> -mike |
31 |
> |
32 |
> |
33 |
|
34 |
Coming back around to the earlier discussion of Alice who has her key |
35 |
signed by robbat2 (because he loves keysigning parties) and then Alice |
36 |
breaks into cvs.gentoo.org and commits evil code into the tree. If we |
37 |
cannot stop this attack because we are relying on a chain of trust |
38 |
(and Alice is in the chain) can we at least detect the attack? |
39 |
|
40 |
As it appears to me; I am much more likely to somehow manipulate the |
41 |
chain in trust in an incorrect way (such as at a keysigning hibjib) as |
42 |
opposed to adding some random strangers key to a master list on |
43 |
dev.gentoo.org or in LDAP. The former action is essentially an |
44 |
innocent act with non-obvious (to me) repercussions and the latter is |
45 |
an act with really only one intent. |
46 |
|
47 |
I don't care about GPG at all. I hate it. I don't want to know how |
48 |
it works and I don't want developers who are in the same boat as me to |
49 |
fuck it up because they don't know what they are doing. I don't have |
50 |
commit-bit to gentoo-x86 so I don't have a big stake in this ;) |