1 |
On Fri, 22 May 2020 21:58:54 +0200 |
2 |
Michał Górny <mgorny@g.o> wrote: |
3 |
|
4 |
> Let's put it like this. This thing starts working. Package X is |
5 |
> broken, and we see that almost nobody is using it. We remove that |
6 |
> package. Now somebody is angry. He submits a lot of fake data to |
7 |
> render the service useless so that we don't make any future decisions |
8 |
> based on it. |
9 |
|
10 |
Sure, and I agree that's a risk. But its not the "random users from the |
11 |
internet fill your inbox with shallow promises of free money" sort of |
12 |
risk, that's typically implied by "spam" ;). |
13 |
|
14 |
The set of potential attackers seems much smaller in our case, and are |
15 |
expressly likely to be actual consumers of Gentoo. |
16 |
|
17 |
This attacker type seems to be the sort that mitigates well with: |
18 |
|
19 |
- Make it so that end users can't forge custom IDs and can only be |
20 |
handed out by the server (but the ID doesn't actually add any |
21 |
tracking, its just a chunk of randomness with a signature that |
22 |
verifies its legitimacy) |
23 |
|
24 |
- Make ID generation expensive. |
25 |
|
26 |
- Limit submissions per ID the same way we do now. |
27 |
|
28 |
That way it doesn't harm typical users beyond their --setup, but hurts |
29 |
would be attackers. |
30 |
|
31 |
If we get under attack, we can just suspend ID generation services, or |
32 |
rate limit ID generation. |
33 |
|
34 |
(And we can encode data in the ID about when it was generated, and the |
35 |
strength of the challenge of the generation, and then block submissions |
36 |
based on criteria when problems occur) |
37 |
|
38 |
This means we don't need to keep track of what ID's are "valid", server |
39 |
side, crypto bits do all the leg work. |
40 |
|
41 |
Even if our private key doing the signing gets compromised, we can |
42 |
change it, which triggers all users to need to re-id, and flush old |
43 |
data. |