1 |
2011-05-02 02:16:49 Markos Chandras napisaĆ(a): |
2 |
> On Sun, May 01, 2011 at 04:31:08PM -0700, Brian Harring wrote: |
3 |
> > On Sun, May 01, 2011 at 11:23:40PM +0000, Duncan wrote: |
4 |
> > > What about having a dedicated server-based changlog-signing key? That's |
5 |
> > > still a lot of signing with a single key, but as you observed, the hazards |
6 |
> > > of a loss of integrity there aren't as high as with most of the tree |
7 |
> > > content. It'd require changes, but I don't believe they're out of line |
8 |
> > > with that required for the rest of the proposal. |
9 |
> > |
10 |
> > It means the only real trust that clients can level is on that key- |
11 |
> > since it will be the last signer (thus /the/ signer) across all pkgs. |
12 |
> > |
13 |
> > Get at that key, and you've got the tree, versus the current form, |
14 |
> > crack all signing keys and you've got the tree. |
15 |
> > |
16 |
> > Mind you this is ignoring eclasses, but getting eclasses sorted will |
17 |
> > be mildly pointless if the rest of the solution has been |
18 |
> > weakened/gutted since. |
19 |
> > |
20 |
> > Point is, it's not *just* about having a signature on it- it's about |
21 |
> > mapping the trust of that signature back, and sectioning/containing |
22 |
> > compromises. What y'all are suggesting guts that layered defense. |
23 |
> > ~brian |
24 |
> |
25 |
> Then the only choice here is to ignore Changelogs from Manifests and |
26 |
> live with that. You have your changelogs unprotected but you keep your |
27 |
> ebuilds safe(?). As I said, it is a balanced choice that has to be made. |
28 |
|
29 |
Generated ChangeLogs could contain server-side-generated signatures for themselves |
30 |
(gpg --sign --clearsign ChangeLog && mv ChangeLog.asc ChangeLog). |
31 |
(Manifests wouldn't contain entries for ChangeLogs.) |
32 |
|
33 |
-- |
34 |
Arfrever Frehtes Taifersar Arahesis |