| 1 |
On Sun, 2002-02-17 at 22:56, Nils Ohlmeier wrote: |
| 2 |
|
| 3 |
> Maybe the developers are more busy with other things, but its never to early |
| 4 |
> to think about security. |
| 5 |
|
| 6 |
If this matter is important to you then please feel free to work on |
| 7 |
adding such functionality to portage. I would like to see a prototype |
| 8 |
of said system. :) |
| 9 |
|
| 10 |
Just a tip though: any such system should be easy to use for the |
| 11 |
developer and end user, and happen pretty much automatically for |
| 12 |
developers. I'm personally not going to be very friendly towards any |
| 13 |
system that requires me to do gnupg commands manually and worry about |
| 14 |
keys every time I want to check in a package, etc. And only the most |
| 15 |
paranoid users are going to go through the trouble of manually verifying |
| 16 |
each package (meaning it wouldn't be used by most users). |
| 17 |
|
| 18 |
It may sound lazy but considering upstream packages are not signed, most |
| 19 |
developers don't even know each other in real life, and you are |
| 20 |
implicitly trusting anyone who has the key and cvs access (any true |
| 21 |
paranoid would see what I'm talking about). Unless the system is simple |
| 22 |
and transparent for developers and end users its (disclaimer: in my view |
| 23 |
and my view alone) a pain that gives people a false sense of security |
| 24 |
about software they are downloading from the internet. |
| 25 |
|
| 26 |
There is also the issue of keys... who holds them, etc. The signing of |
| 27 |
packages could create political side effects and formalities. We have |
| 28 |
quite a few developers with CVS access. This means we are going to be |
| 29 |
sharing keys on multiple machines or have to go through a pain in the |
| 30 |
arse every time we want to check a package in. |
| 31 |
|
| 32 |
Such a system may force the solid formation of "teams" and encourage a |
| 33 |
more unfriendly BSD-style core development model. As a gentoo developer |
| 34 |
I like being able to work many different aspects of gentoo whenever I |
| 35 |
feel like it. And if a find an annoying bug I wish to fix, I like being |
| 36 |
able to fix it, rather then spending time asking whichever "team" is in |
| 37 |
charge of said package and having to ask for permission or whatever. |
| 38 |
(ok, I'm exagurating, but I've heard too many horror stories from the |
| 39 |
history of the *BSDs) |
| 40 |
|
| 41 |
If we decide to avoid a team based structure, then we are going to have |
| 42 |
to worry about individual keys. Most packages, although sometimes |
| 43 |
marked as having a maintainer, do not really have maintainers set in |
| 44 |
stone. Most of the packages are freely modified by any developer who |
| 45 |
has a real reason to make changes to said packages. Although there are |
| 46 |
exceptions, portage does have maintainers due to its importance and the |
| 47 |
fact its a gentoo creation (we are the upstream maintainers). Also if |
| 48 |
you as a developer are aware that someone is working on a package or has |
| 49 |
a pet project, its considered good etiquite to ask them first (chances |
| 50 |
are they are already working on the issue anyways). So that means we |
| 51 |
would either have to assign maintainers with keys to specific packages |
| 52 |
and have changes cleared through them, or have the system check every |
| 53 |
possible key against the package to see if the package has a valid |
| 54 |
signature from 1 of 30 or so developers (I'm guessing about that |
| 55 |
number). |
| 56 |
|
| 57 |
Another alternative is a global key. One key shared among all |
| 58 |
developers... IMHO, there isn't much point of signing after that... if |
| 59 |
the key is leaked (accounts hacked, etc) we'd have to get in touch with |
| 60 |
all developers, reissue keys, and resign all packages after verifying |
| 61 |
them all. |
| 62 |
|
| 63 |
Just my two cents on the issue, feel free to flame or just call me |
| 64 |
paranoid, crazy, etc ;) Personally, I liked the open (more carefree?) |
| 65 |
attitude towards the beginning of the project and I'd hate to see that |
| 66 |
go away because of its increased popularity :) |
| 67 |
|
| 68 |
-- |
| 69 |
|
| 70 |
Bruce A. Locke |
| 71 |
blocke@××××××.org |
| 72 |
|
| 73 |
"Those that would give up a necessary freedom for temporary |
| 74 |
safety deserve neither freedom nor safety." |
| 75 |
-- Ben Franklin |
Archives