| 1 |
On Mon, Jul 2, 2018 at 1:50 PM Jason A. Donenfeld <zx2c4@g.o> wrote: |
| 2 |
> |
| 3 |
> On Mon, Jul 2, 2018 at 7:41 PM Rich Freeman <rich0@g.o> wrote: |
| 4 |
> > To be fair, this is relying quite a bit on the last dev doing a commit |
| 5 |
> > to be checking his own tree, though that would certainly be helped if |
| 6 |
> > repoman/portage/etc were checking git sigs so that the starting tree |
| 7 |
> > is more likely to be clean. Also, if the last dev's key is |
| 8 |
> > compromised you're hosed no matter what as they can introduce anything |
| 9 |
> > to the tree and everybody will trust it. |
| 10 |
> |
| 11 |
> Actually, no. By keeping a local keychain of trusted developer keys -- |
| 12 |
> Arch Linux style -- you can just remove developers you don't trust, |
| 13 |
> and since the .asc files they signed will no longer verify, files from |
| 14 |
> them will no longer be copied into the real portage tree. It's a nice |
| 15 |
> way to make the entire process granular, yet still flexible. |
| 16 |
|
| 17 |
This only helps you if a dev you don't trust is compromised. If a dev |
| 18 |
you trust is compromised, they can modify anything in the tree and |
| 19 |
you're hosed. |
| 20 |
|
| 21 |
> |
| 22 |
> This kind of git-signature extraction also just sounds difficult and |
| 23 |
> fiddly to do, even if you do manage to figure out which partial bits |
| 24 |
> of metadata you need for reconstructing signed hashes. Whereas simply |
| 25 |
> adding .asc files is a single invocation of GPG -- a pretty |
| 26 |
> well-understood non fancy procedure. |
| 27 |
|
| 28 |
Sure, I'd prefer to not extract git signatures and just distribute via |
| 29 |
git purely without any rsync. |
| 30 |
|
| 31 |
> I think you assessment of the situation here is incorrect. It's not |
| 32 |
> necessary to trust a developer for the entire state of the tree. You |
| 33 |
> only need to trust (or distrust) a developer for the files he's |
| 34 |
> changed. |
| 35 |
|
| 36 |
Sure, but since any developer can change any file, that is basically |
| 37 |
the same thing. If somebody steals a single dev's key they can just |
| 38 |
rootkit any file of their choosing, sign that one change, and it will |
| 39 |
slip through any of these methods. The only protection against that |
| 40 |
is tracking who is allowed to touch what files, and then you're still |
| 41 |
hosed if a dev for a widely-used file gets their key stolen. |
| 42 |
|
| 43 |
I still prefer it to trusting infra though, because: |
| 44 |
|
| 45 |
1. The same attacks still work even with a final infra signoff. |
| 46 |
2. The dev signoffs could use hardware tokens where a random server |
| 47 |
process doesn't have the ability to trigger the signoffs (think |
| 48 |
hardware button on a yubikey/etc). |
| 49 |
3. This enables more mirroring options - like sticking the whole repo |
| 50 |
on github/etc for direct syncing that is still completely secure due |
| 51 |
to signoffs. |
| 52 |
|
| 53 |
-- |
| 54 |
Rich |
Archives