| 1 |
On Sat, Sep 20, 2014 at 2:09 PM, Ulrich Mueller <ulm@g.o> wrote: |
| 2 |
>>>>>> On Wed, 17 Sep 2014, Aaron W. Swenson wrote: |
| 3 |
> |
| 4 |
>> My argument is Git using SHA-1 for checksumming is not the weakest |
| 5 |
>> part of our security model. |
| 6 |
> |
| 7 |
> I had always assumed that robbat2's series of GLEPs (57 to 61) would |
| 8 |
> be implemented at some point. So security from the developer to the |
| 9 |
> master repository would be ensured by using a secure channel for |
| 10 |
> commits, and distribution from the repository to users would use |
| 11 |
> secure hashes (SHA-256 or better) and gpg signatures. |
| 12 |
> |
| 13 |
> I didn't see any mention of this in the discussion, though. Have these |
| 14 |
> plans been abandoned, and are we now planning to distribute the tree |
| 15 |
> to users via Git, where everything goes through the bottleneck of a |
| 16 |
> SHA-1 sum, which was never intended as a security feature? [1] |
| 17 |
> |
| 18 |
> If this is so, why don't we abandon all those fancy SHA-512s and |
| 19 |
> WHIRLPOOLs in our Manifest files, and replace them by a single SHA-1? |
| 20 |
> Altogether, this would save about 50 MB of space in the tree. :) |
| 21 |
|
| 22 |
The issue is that we have lots of devs with lots of plans, and nothing |
| 23 |
official whatsoever. There is no formal plan to ever adopt those |
| 24 |
GLEPs (I'm not saying it isn't likely to happen - just that there |
| 25 |
isn't some kind of roadmap to actually implementing them). There is |
| 26 |
no plan to ever move to git, or not move to git. There is no plan for |
| 27 |
how any of this stuff is supposed to work a few years from now. |
| 28 |
|
| 29 |
Gentoo isn't terribly big on planning - whether this is a good or bad |
| 30 |
thing is perhaps debatable. Typically whoever implements something |
| 31 |
first tends to decide how it gets implemented. |
| 32 |
|
| 33 |
It seems like most people involved in the git migration have planned |
| 34 |
on moving to signed commits and thin manifests. This would mean that |
| 35 |
the chain of security would include dependence on sha1, since that is |
| 36 |
the only thing that binds a singed commit to the data which was |
| 37 |
committed (including the thin manifest file itself). |
| 38 |
|
| 39 |
Then you get all the pile-on arguments that basically question whether |
| 40 |
we care about the tree being signed anyway. |
| 41 |
|
| 42 |
If this were some kind of corporation where we could make whatever |
| 43 |
plans we wanted to make and pay people to make them happen whether |
| 44 |
they liked the plans or not, then I would suggest the way we should go |
| 45 |
about this is: |
| 46 |
1. Decide whether we really care about tree signing. |
| 47 |
2. If yes, no more arguing about whether we need tree signing. Next |
| 48 |
step is to decide what threat models we want to protect against. |
| 49 |
3. Then design something that actually provides security against the |
| 50 |
targeted threat models. |
| 51 |
|
| 52 |
The issue here is that we're basically starting at #3, with people all |
| 53 |
over the map about #1-2, and thus it should be entirely unsurprising |
| 54 |
that we invest in things like signed commits with nothing more than |
| 55 |
sha1 to bind those signatures to files. |
| 56 |
|
| 57 |
I'm personally in the camp that I'd rather see ANY git migration |
| 58 |
happen sooner rather than later and I'd rather migrate first and then |
| 59 |
fix any signature issues later. Simple gpg signed commits secured |
| 60 |
only with sha1 seems good enough to start with. |
| 61 |
|
| 62 |
-- |
| 63 |
Rich |
Archives