| 1 |
On Fri, May 06, 2016 at 01:14:22AM +0200, M.B. wrote: |
| 2 |
> Good evening folks, |
| 3 |
> |
| 4 |
> in the past I witnessed bits and pieces of attempts to increase the |
| 5 |
> infrastructure userside, but, unless I'm mistaken, there's still room |
| 6 |
> for improvement. |
| 7 |
> |
| 8 |
> Since a couple of years we have the webrsync-gpg FEATURE, which enables |
| 9 |
> automatic verification of the portage tree, when updated via webrsync. |
| 10 |
> |
| 11 |
> We also have mandatory signing via gpg of packages, news items and (I |
| 12 |
> strongly suspect) GLSAs for maintainers. Yet, there's not checking |
| 13 |
> mechanism whatsoever in portage. |
| 14 |
Portage _can_ check signed Manifests, it's just presently not doing so |
| 15 |
as even less of the manifests are signed than they used to be with the |
| 16 |
Git migration (read on). |
| 17 |
|
| 18 |
> Now my question: are there plans existing on how to improve this |
| 19 |
> situation? Any project that might be involved with such plans? |
| 20 |
> In particular, my question is with respect to |
| 21 |
> - automatic verififcation of the gpg-signatures provided when syncing |
| 22 |
> via git |
| 23 |
Use gkeys and you should have all the keys needed to verify the commits. |
| 24 |
|
| 25 |
> - development of a verification scheme that works just as well with rsync |
| 26 |
> - on the threat-assessment side: are there dangers involved, apart from |
| 27 |
> a mitm-attack between the (rsyncing) end-user and a mirror or a mirror |
| 28 |
> and the main servers? |
| 29 |
Read the MetaManifest GLEPs, this was already planned & proposed years |
| 30 |
ago, and hopefully at the end of this GSoC, the final implementation |
| 31 |
pieces will be done too. |
| 32 |
|
| 33 |
Most importantly, MetaManifest will reduce the need of signing every |
| 34 |
single Manifest, to just signing a single top-level (meta)manifest. |
| 35 |
|
| 36 |
-- |
| 37 |
Robin Hugh Johnson |
| 38 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
| 39 |
E-Mail : robbat2@g.o |
| 40 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives