| 1 |
W dniu pon, 02.07.2018 o godzinie 20∶01 +0200, użytkownik Jason A. |
| 2 |
Donenfeld napisał: |
| 3 |
> On Mon, Jul 2, 2018 at 7:21 PM Michał Górny <mgorny@g.o> wrote: |
| 4 |
> > |
| 5 |
> > W dniu pon, 02.07.2018 o godzinie 19∶01 +0200, użytkownik Jason A. |
| 6 |
> > Donenfeld napisał: |
| 7 |
> > > On Mon, Jul 2, 2018 at 6:58 PM Michał Górny <mgorny@g.o> wrote: |
| 8 |
> > > > - Have verification use a keyring of all Gentoo developers, with a |
| 9 |
> > > > > manual prompt to add new Gentoo developers to it. |
| 10 |
> > > > |
| 11 |
> > > > How are you going to distribute this keyring, and how are you going to |
| 12 |
> > > > protect attacker from injecting malicious key into it? |
| 13 |
> > > |
| 14 |
> > > Same model as Arch. |
| 15 |
> > > |
| 16 |
> > |
| 17 |
> > Please write it down here instead of expecting us to figure it out. |
| 18 |
> > It's your proposal, and it should be complete. |
| 19 |
> |
| 20 |
> I believe Arch's system relies on some core developers having master |
| 21 |
> keys and the revocation certificates being distributed amongst them: |
| 22 |
> |
| 23 |
> https://www.archlinux.org/master-keys/ |
| 24 |
> |
| 25 |
> Then all other developers are signed from there in one way or another. |
| 26 |
> It's kind of a modified web of trust. |
| 27 |
> |
| 28 |
> I don't know whether or not this is necessarily the best model to |
| 29 |
> emulate -- perhaps we could do better, for example -- but it does seem |
| 30 |
> like a good starting point. Instead we might prefer a single hardware |
| 31 |
> device somewhere. |
| 32 |
> |
| 33 |
> The idea would be -- portage fetches an updated "key list" from |
| 34 |
> somewhere. This new list of keys is considered if it is: a) signed by |
| 35 |
> the master keys and b) internally fulfills some WoT topological |
| 36 |
> requirements. Then, if these pass, it is up to the user to then |
| 37 |
> manually [y/N] the addition of new keys to the key ring. If they |
| 38 |
> suspect a particular developer has bad security practices, for |
| 39 |
> example, they could trivially [N] it, and then not have tree files he |
| 40 |
> touched copied from the shadow location to the portage directory. |
| 41 |
|
| 42 |
I'm afraid that in order to convince me you need to have a clear, well- |
| 43 |
defined model that improves security over the current solution. |
| 44 |
|
| 45 |
In other words, I see no purpose in adding a lot of complexity in order |
| 46 |
to shift the weakest link from one Infra machine handling the signing to |
| 47 |
another single point of failure in distributing the keys. |
| 48 |
|
| 49 |
-- |
| 50 |
Best regards, |
| 51 |
Michał Górny |
Archives