1 |
On Mon, Jul 2, 2018 at 1:50 PM Jason A. Donenfeld <zx2c4@g.o> wrote: |
2 |
> |
3 |
> On Mon, Jul 2, 2018 at 7:41 PM Rich Freeman <rich0@g.o> wrote: |
4 |
> > To be fair, this is relying quite a bit on the last dev doing a commit |
5 |
> > to be checking his own tree, though that would certainly be helped if |
6 |
> > repoman/portage/etc were checking git sigs so that the starting tree |
7 |
> > is more likely to be clean. Also, if the last dev's key is |
8 |
> > compromised you're hosed no matter what as they can introduce anything |
9 |
> > to the tree and everybody will trust it. |
10 |
> |
11 |
> Actually, no. By keeping a local keychain of trusted developer keys -- |
12 |
> Arch Linux style -- you can just remove developers you don't trust, |
13 |
> and since the .asc files they signed will no longer verify, files from |
14 |
> them will no longer be copied into the real portage tree. It's a nice |
15 |
> way to make the entire process granular, yet still flexible. |
16 |
|
17 |
This only helps you if a dev you don't trust is compromised. If a dev |
18 |
you trust is compromised, they can modify anything in the tree and |
19 |
you're hosed. |
20 |
|
21 |
> |
22 |
> This kind of git-signature extraction also just sounds difficult and |
23 |
> fiddly to do, even if you do manage to figure out which partial bits |
24 |
> of metadata you need for reconstructing signed hashes. Whereas simply |
25 |
> adding .asc files is a single invocation of GPG -- a pretty |
26 |
> well-understood non fancy procedure. |
27 |
|
28 |
Sure, I'd prefer to not extract git signatures and just distribute via |
29 |
git purely without any rsync. |
30 |
|
31 |
> I think you assessment of the situation here is incorrect. It's not |
32 |
> necessary to trust a developer for the entire state of the tree. You |
33 |
> only need to trust (or distrust) a developer for the files he's |
34 |
> changed. |
35 |
|
36 |
Sure, but since any developer can change any file, that is basically |
37 |
the same thing. If somebody steals a single dev's key they can just |
38 |
rootkit any file of their choosing, sign that one change, and it will |
39 |
slip through any of these methods. The only protection against that |
40 |
is tracking who is allowed to touch what files, and then you're still |
41 |
hosed if a dev for a widely-used file gets their key stolen. |
42 |
|
43 |
I still prefer it to trusting infra though, because: |
44 |
|
45 |
1. The same attacks still work even with a final infra signoff. |
46 |
2. The dev signoffs could use hardware tokens where a random server |
47 |
process doesn't have the ability to trigger the signoffs (think |
48 |
hardware button on a yubikey/etc). |
49 |
3. This enables more mirroring options - like sticking the whole repo |
50 |
on github/etc for direct syncing that is still completely secure due |
51 |
to signoffs. |
52 |
|
53 |
-- |
54 |
Rich |