1 |
On Sat, Sep 20, 2014 at 2:09 PM, Ulrich Mueller <ulm@g.o> wrote: |
2 |
>>>>>> On Wed, 17 Sep 2014, Aaron W. Swenson wrote: |
3 |
> |
4 |
>> My argument is Git using SHA-1 for checksumming is not the weakest |
5 |
>> part of our security model. |
6 |
> |
7 |
> I had always assumed that robbat2's series of GLEPs (57 to 61) would |
8 |
> be implemented at some point. So security from the developer to the |
9 |
> master repository would be ensured by using a secure channel for |
10 |
> commits, and distribution from the repository to users would use |
11 |
> secure hashes (SHA-256 or better) and gpg signatures. |
12 |
> |
13 |
> I didn't see any mention of this in the discussion, though. Have these |
14 |
> plans been abandoned, and are we now planning to distribute the tree |
15 |
> to users via Git, where everything goes through the bottleneck of a |
16 |
> SHA-1 sum, which was never intended as a security feature? [1] |
17 |
> |
18 |
> If this is so, why don't we abandon all those fancy SHA-512s and |
19 |
> WHIRLPOOLs in our Manifest files, and replace them by a single SHA-1? |
20 |
> Altogether, this would save about 50 MB of space in the tree. :) |
21 |
|
22 |
The issue is that we have lots of devs with lots of plans, and nothing |
23 |
official whatsoever. There is no formal plan to ever adopt those |
24 |
GLEPs (I'm not saying it isn't likely to happen - just that there |
25 |
isn't some kind of roadmap to actually implementing them). There is |
26 |
no plan to ever move to git, or not move to git. There is no plan for |
27 |
how any of this stuff is supposed to work a few years from now. |
28 |
|
29 |
Gentoo isn't terribly big on planning - whether this is a good or bad |
30 |
thing is perhaps debatable. Typically whoever implements something |
31 |
first tends to decide how it gets implemented. |
32 |
|
33 |
It seems like most people involved in the git migration have planned |
34 |
on moving to signed commits and thin manifests. This would mean that |
35 |
the chain of security would include dependence on sha1, since that is |
36 |
the only thing that binds a singed commit to the data which was |
37 |
committed (including the thin manifest file itself). |
38 |
|
39 |
Then you get all the pile-on arguments that basically question whether |
40 |
we care about the tree being signed anyway. |
41 |
|
42 |
If this were some kind of corporation where we could make whatever |
43 |
plans we wanted to make and pay people to make them happen whether |
44 |
they liked the plans or not, then I would suggest the way we should go |
45 |
about this is: |
46 |
1. Decide whether we really care about tree signing. |
47 |
2. If yes, no more arguing about whether we need tree signing. Next |
48 |
step is to decide what threat models we want to protect against. |
49 |
3. Then design something that actually provides security against the |
50 |
targeted threat models. |
51 |
|
52 |
The issue here is that we're basically starting at #3, with people all |
53 |
over the map about #1-2, and thus it should be entirely unsurprising |
54 |
that we invest in things like signed commits with nothing more than |
55 |
sha1 to bind those signatures to files. |
56 |
|
57 |
I'm personally in the camp that I'd rather see ANY git migration |
58 |
happen sooner rather than later and I'd rather migrate first and then |
59 |
fix any signature issues later. Simple gpg signed commits secured |
60 |
only with sha1 seems good enough to start with. |
61 |
|
62 |
-- |
63 |
Rich |