1 |
Back when the zynot guys did thier thing i laid out a system for dist/pacakage signing on the wiki, but that has gone away. |
2 |
I have thrown up a quick htmlized version of that *and removed the zynot refs for those still sore bout that* and put it up |
3 |
|
4 |
http://f00bar.com/files/ds.html |
5 |
|
6 |
heres the quick overview: |
7 |
* GPG signatures for builds, patches, distfiles and sources from cvs or svn repositories |
8 |
* Auditing of distfiles/ebuilds for inclusion in the "secure or stable" branch |
9 |
* Options for securing the transmission channel for trees and distfiles |
10 |
* Revocation of certificates |
11 |
* Policy for dealing with poison mirrors,distfiles, and ebuilds |
12 |
* Policy for accetping new developer/maintainer keys ( see http://www.debian.org/devel/join/nm-step2 debians docs on this) |
13 |
* Web of trust and how it could apply to p2p and other areas |
14 |
|
15 |
the zynot forums had a good thread bout this as well @ p2p stuff and thats linked from the top of this html page. |
16 |
|
17 |
|
18 |
* Chris Bainbridge (c.j.bainbridge@×××××.uk) wrote: |
19 |
> Date: Wed, 24 Mar 2004 00:09:20 +0000 |
20 |
> From: Chris Bainbridge <c.j.bainbridge@×××××.uk> |
21 |
> To: gentoo-dev@l.g.o |
22 |
> User-Agent: KMail/1.6.1 |
23 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
24 |
> Subject: Re: [gentoo-dev] 2004.1 will not include a secure portage. |
25 |
> |
26 |
> I think the idea of a central key controlling everything is bad - this means |
27 |
> one person is ultimately responsible for the portage tree, and compromising |
28 |
> this will allow access to everything. It would be better if every gentoo |
29 |
> developer had a gpg key. Each package in the portage tree would then have |
30 |
> a .gpg file which lists signatures for the package digest which contains |
31 |
> hashes of each ebuild, files/*, and downloaded distfiles, and a permissions |
32 |
> section listing who has access to make modifications to this dir (such as |
33 |
> writing new ebuilds). People who already have access to a package are then |
34 |
> free to grant access to others merely by inserting their public key into this |
35 |
> file. emerge sync would have to be modified so that it checks signatures |
36 |
> before files are updated. |
37 |
> |
38 |
> Important packages may require multiple signatures before a file is installed |
39 |
> - this is to eliminate the possibility that a compromise of a single gentoo |
40 |
> developer will hand root access to every gentoo installed system. At the |
41 |
> moment, every developer is a point of cvs write access from which an attacker |
42 |
> could root many gentoo installations. |
43 |
> |
44 |
> The key downloads, checking, revocation etc. would be handled by the existing |
45 |
> gpg keyserver infrastructure (eg. keyserver.net). There is no need for an all |
46 |
> powerful gentoo key, or even distribution system. Simply have emerge call gpg |
47 |
> to do everything. |
48 |
> |
49 |
> This only really requires changes to the emerge sync process and a developer |
50 |
> script to check, sign, and post changes. Everything else can be handed off to |
51 |
> gpg. It would also enable some more exciting distribution methods like RSS |
52 |
> channels listing new signed files in portage along with a p2p backend to |
53 |
> fetch them, automatic security updates, etc. |
54 |
> |
55 |
> On Tuesday 23 March 2004 13:12, Paul de Vrieze wrote: |
56 |
> |
57 |
> > Ok, the biggest problem is an idea for how the actual checking should |
58 |
> > function. (Signing is straightforward). |
59 |
> > |
60 |
> > I'll take a first shot at describing a key chain idea. Please shoot at it |
61 |
> > and try to find the holes. But remember it needs to stay workable. First |
62 |
> > the premises: |
63 |
> |
64 |
> -- |
65 |
> gentoo-dev@g.o mailing list |
66 |
> |
67 |
> |
68 |
|
69 |
-- |
70 |
gentoo-dev@g.o mailing list |