| 1 |
On Sun, Sep 07, 2003 at 09:43:47PM +0000, Jan Krueger wrote: |
| 2 |
> On Sunday 07 September 2003 19:20, Martin Schlemmer wrote: |
| 3 |
> > So how are any of these going to help if you do not trust us or any |
| 4 |
> > other developers/upstream_authors, encryption, etc, etc. I mean, |
| 5 |
> > this *IS* what this whole issue is about, no ? |
| 6 |
> No. I trust you. But trusting you doesnt mean that the ebuild you checked in |
| 7 |
> to the tree arrives at my hardrive unmodified. There is no way for you as a |
| 8 |
> human beeing to garantee this to me. Instead it should be expected that the |
| 9 |
> ebuild gets modified (by faulty software/hardware/network/whatever or by a |
| 10 |
> malicious attacker). So this must be taken care of. |
| 11 |
> |
| 12 |
> With Manifest and digest portage very much points in the right direction, but |
| 13 |
> this is not enough, from my point of view. |
| 14 |
> |
| 15 |
|
| 16 |
Why is it not enough? Of course, Manifests by themeslves can be modified |
| 17 |
- that's why they need to be GPG signed. |
| 18 |
|
| 19 |
The vulnerability at that point is compromised keys, which is why we |
| 20 |
would have an uberkey so we can revoke developer keys as soon as |
| 21 |
possible. It's not foolproof, but it's a whole lot better. |
| 22 |
|
| 23 |
There is no such thing as perfect security short of shutting down your |
| 24 |
computer. |
| 25 |
|
| 26 |
-- |
| 27 |
Jon Portnoy |
| 28 |
avenj/irc.freenode.net |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-dev@g.o mailing list |
Archives