| 1 |
Back when the zynot guys did thier thing i laid out a system for dist/pacakage signing on the wiki, but that has gone away. |
| 2 |
I have thrown up a quick htmlized version of that *and removed the zynot refs for those still sore bout that* and put it up |
| 3 |
|
| 4 |
http://f00bar.com/files/ds.html |
| 5 |
|
| 6 |
heres the quick overview: |
| 7 |
* GPG signatures for builds, patches, distfiles and sources from cvs or svn repositories |
| 8 |
* Auditing of distfiles/ebuilds for inclusion in the "secure or stable" branch |
| 9 |
* Options for securing the transmission channel for trees and distfiles |
| 10 |
* Revocation of certificates |
| 11 |
* Policy for dealing with poison mirrors,distfiles, and ebuilds |
| 12 |
* Policy for accetping new developer/maintainer keys ( see http://www.debian.org/devel/join/nm-step2 debians docs on this) |
| 13 |
* Web of trust and how it could apply to p2p and other areas |
| 14 |
|
| 15 |
the zynot forums had a good thread bout this as well @ p2p stuff and thats linked from the top of this html page. |
| 16 |
|
| 17 |
|
| 18 |
* Chris Bainbridge (c.j.bainbridge@×××××.uk) wrote: |
| 19 |
> Date: Wed, 24 Mar 2004 00:09:20 +0000 |
| 20 |
> From: Chris Bainbridge <c.j.bainbridge@×××××.uk> |
| 21 |
> To: gentoo-dev@l.g.o |
| 22 |
> User-Agent: KMail/1.6.1 |
| 23 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
| 24 |
> Subject: Re: [gentoo-dev] 2004.1 will not include a secure portage. |
| 25 |
> |
| 26 |
> I think the idea of a central key controlling everything is bad - this means |
| 27 |
> one person is ultimately responsible for the portage tree, and compromising |
| 28 |
> this will allow access to everything. It would be better if every gentoo |
| 29 |
> developer had a gpg key. Each package in the portage tree would then have |
| 30 |
> a .gpg file which lists signatures for the package digest which contains |
| 31 |
> hashes of each ebuild, files/*, and downloaded distfiles, and a permissions |
| 32 |
> section listing who has access to make modifications to this dir (such as |
| 33 |
> writing new ebuilds). People who already have access to a package are then |
| 34 |
> free to grant access to others merely by inserting their public key into this |
| 35 |
> file. emerge sync would have to be modified so that it checks signatures |
| 36 |
> before files are updated. |
| 37 |
> |
| 38 |
> Important packages may require multiple signatures before a file is installed |
| 39 |
> - this is to eliminate the possibility that a compromise of a single gentoo |
| 40 |
> developer will hand root access to every gentoo installed system. At the |
| 41 |
> moment, every developer is a point of cvs write access from which an attacker |
| 42 |
> could root many gentoo installations. |
| 43 |
> |
| 44 |
> The key downloads, checking, revocation etc. would be handled by the existing |
| 45 |
> gpg keyserver infrastructure (eg. keyserver.net). There is no need for an all |
| 46 |
> powerful gentoo key, or even distribution system. Simply have emerge call gpg |
| 47 |
> to do everything. |
| 48 |
> |
| 49 |
> This only really requires changes to the emerge sync process and a developer |
| 50 |
> script to check, sign, and post changes. Everything else can be handed off to |
| 51 |
> gpg. It would also enable some more exciting distribution methods like RSS |
| 52 |
> channels listing new signed files in portage along with a p2p backend to |
| 53 |
> fetch them, automatic security updates, etc. |
| 54 |
> |
| 55 |
> On Tuesday 23 March 2004 13:12, Paul de Vrieze wrote: |
| 56 |
> |
| 57 |
> > Ok, the biggest problem is an idea for how the actual checking should |
| 58 |
> > function. (Signing is straightforward). |
| 59 |
> > |
| 60 |
> > I'll take a first shot at describing a key chain idea. Please shoot at it |
| 61 |
> > and try to find the holes. But remember it needs to stay workable. First |
| 62 |
> > the premises: |
| 63 |
> |
| 64 |
> -- |
| 65 |
> gentoo-dev@g.o mailing list |
| 66 |
> |
| 67 |
> |
| 68 |
|
| 69 |
-- |
| 70 |
gentoo-dev@g.o mailing list |
Archives