1 |
On Fri, May 06, 2016 at 01:14:22AM +0200, M.B. wrote: |
2 |
> Good evening folks, |
3 |
> |
4 |
> in the past I witnessed bits and pieces of attempts to increase the |
5 |
> infrastructure userside, but, unless I'm mistaken, there's still room |
6 |
> for improvement. |
7 |
> |
8 |
> Since a couple of years we have the webrsync-gpg FEATURE, which enables |
9 |
> automatic verification of the portage tree, when updated via webrsync. |
10 |
> |
11 |
> We also have mandatory signing via gpg of packages, news items and (I |
12 |
> strongly suspect) GLSAs for maintainers. Yet, there's not checking |
13 |
> mechanism whatsoever in portage. |
14 |
Portage _can_ check signed Manifests, it's just presently not doing so |
15 |
as even less of the manifests are signed than they used to be with the |
16 |
Git migration (read on). |
17 |
|
18 |
> Now my question: are there plans existing on how to improve this |
19 |
> situation? Any project that might be involved with such plans? |
20 |
> In particular, my question is with respect to |
21 |
> - automatic verififcation of the gpg-signatures provided when syncing |
22 |
> via git |
23 |
Use gkeys and you should have all the keys needed to verify the commits. |
24 |
|
25 |
> - development of a verification scheme that works just as well with rsync |
26 |
> - on the threat-assessment side: are there dangers involved, apart from |
27 |
> a mitm-attack between the (rsyncing) end-user and a mirror or a mirror |
28 |
> and the main servers? |
29 |
Read the MetaManifest GLEPs, this was already planned & proposed years |
30 |
ago, and hopefully at the end of this GSoC, the final implementation |
31 |
pieces will be done too. |
32 |
|
33 |
Most importantly, MetaManifest will reduce the need of signing every |
34 |
single Manifest, to just signing a single top-level (meta)manifest. |
35 |
|
36 |
-- |
37 |
Robin Hugh Johnson |
38 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
39 |
E-Mail : robbat2@g.o |
40 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |