1 |
On Mon, Jul 2, 2018 at 7:21 PM Michał Górny <mgorny@g.o> wrote: |
2 |
> |
3 |
> W dniu pon, 02.07.2018 o godzinie 19∶01 +0200, użytkownik Jason A. |
4 |
> Donenfeld napisał: |
5 |
> > On Mon, Jul 2, 2018 at 6:58 PM Michał Górny <mgorny@g.o> wrote: |
6 |
> > > - Have verification use a keyring of all Gentoo developers, with a |
7 |
> > > > manual prompt to add new Gentoo developers to it. |
8 |
> > > |
9 |
> > > How are you going to distribute this keyring, and how are you going to |
10 |
> > > protect attacker from injecting malicious key into it? |
11 |
> > |
12 |
> > Same model as Arch. |
13 |
> > |
14 |
> |
15 |
> Please write it down here instead of expecting us to figure it out. |
16 |
> It's your proposal, and it should be complete. |
17 |
|
18 |
I believe Arch's system relies on some core developers having master |
19 |
keys and the revocation certificates being distributed amongst them: |
20 |
|
21 |
https://www.archlinux.org/master-keys/ |
22 |
|
23 |
Then all other developers are signed from there in one way or another. |
24 |
It's kind of a modified web of trust. |
25 |
|
26 |
I don't know whether or not this is necessarily the best model to |
27 |
emulate -- perhaps we could do better, for example -- but it does seem |
28 |
like a good starting point. Instead we might prefer a single hardware |
29 |
device somewhere. |
30 |
|
31 |
The idea would be -- portage fetches an updated "key list" from |
32 |
somewhere. This new list of keys is considered if it is: a) signed by |
33 |
the master keys and b) internally fulfills some WoT topological |
34 |
requirements. Then, if these pass, it is up to the user to then |
35 |
manually [y/N] the addition of new keys to the key ring. If they |
36 |
suspect a particular developer has bad security practices, for |
37 |
example, they could trivially [N] it, and then not have tree files he |
38 |
touched copied from the shadow location to the portage directory. |