1 |
On 19/05/06, Patrick Lauer <patrick@g.o> wrote: |
2 |
> On Fri, 2006-05-19 at 10:46 +0100, Chris Bainbridge wrote: |
3 |
> > We already trust the master cvs server admins (and they could just |
4 |
> > replace the whole tree anyway), so what benefit does a distributed |
5 |
> > signing system like gpg actually give to the developers or users? I |
6 |
> > can't see any that are worth the costs of key management (and there |
7 |
> > are costs, otherwise a system would've been put into place years |
8 |
> > ago). |
9 |
> No central authority --> no single point of failure |
10 |
> Give me a central server and I will focus on hacking that ... hacking 50 |
11 |
> developers is much harder ;-) |
12 |
|
13 |
There are now several hundred gentoo developers. It is more likely |
14 |
that one of them has a security lapse than cvs.gentoo.org. |
15 |
|
16 |
> > So my simple proposal would be to use a single key, and a post-commit |
17 |
> > cvs hook to sign the whole tree. It takes me 1.5 seconds with gnupg to |
18 |
> > generate a signature covering the whole tree on my desktop here. I |
19 |
> > don't know how many commits per day there are (and maybe that would be |
20 |
> > reduced with an atomic commit system like svn), so I don't know if |
21 |
> > this is an acceptable cost. I think it probably is, but if not, then |
22 |
> > signing could be done per-directory. |
23 |
> I don't see what that gains you ... what exactly does this signature |
24 |
> express? |
25 |
> and 1.5sec doesn't appear realistic to me, I'd expect it to take ~1 |
26 |
> minute even on a fast system |
27 |
|
28 |
It is a single signature across the entire portage tree. It means that |
29 |
after rsync emerge can check the signature against the retrieved tree |
30 |
to validate the whole tree (or overlay). |
31 |
|
32 |
Instead of guessing performance, test it. We can assume that disk |
33 |
activity is negligible - we have a dedicated server, and the portage |
34 |
tree is ~115MB, so most of it will be cached in main memory. In |
35 |
particular there is no disk seek latency. To simulate that we can |
36 |
gather everything into a single file (which also has the side effect |
37 |
of pulling into the cache) and then gpg sign that file: |
38 |
|
39 |
find /usr/portage -path '/usr/portage/metadata' -prune -o -path |
40 |
'/usr/portage/distfiles' -prune -o -path '/usr/portage/packages' |
41 |
-prune -o -type f -exec cat {} > /tmp/blah \; |
42 |
time gpg --detach-sign -a /tmp/blah |
43 |
|
44 |
I get 1.5 seconds on a desktop and 6.5 seconds on a laptop. |
45 |
|
46 |
> > The benefits of this would be that changes are minimised - developers |
47 |
> > and users act the same, the impact on the tree is a 191 byte |
48 |
> > signature, and yet it will protect against the most likely and most |
49 |
> > practical form of attack. |
50 |
> So ... DoS scenario |
51 |
> I just add one byte to the tree and the signature fails ... what then? |
52 |
|
53 |
Emerge informs the user that the rsync server has been corrupted and |
54 |
terminates. How would this be any different with distributed file |
55 |
signing? You have to rsync the entire tree, and then verify it - at |
56 |
that point the tree is already corrupt. Ideally overlayfs (or just |
57 |
plain old keeping a backup) could be used to restore the pre-sync |
58 |
tree. |
59 |
|
60 |
> > I was much more pro-distributed trust system in 2003 (or whenever this |
61 |
> > was last discussed), but I think the right solution now is the |
62 |
> > practical, easy to implement one. |
63 |
> I think I'd prefer a hybrid. |
64 |
|
65 |
It could be done in stages. Start with the (easier) central key, then |
66 |
later add distributed keys. I think a hybrid system would be the ideal |
67 |
system, but realistically, bug #5902 has been around since March 2003 |
68 |
and no real progress has been made. The main sticking point seems to |
69 |
be disagreements over key management and policies. I would hope that |
70 |
most people could agree that a single key with a post-commit signing |
71 |
is better than what we have now, and could be easily implemented, |
72 |
whilst leaving open the option of a hybrid system implementation at a |
73 |
later date. |
74 |
|
75 |
-- |
76 |
gentoo-dev@g.o mailing list |