| 1 |
* Alexander Holler <holler@××××××××××.de> [2002-06-07 13:00]: |
| 2 |
> Hi Jeremiah, |
| 3 |
> |
| 4 |
> --On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler |
| 5 |
> <jmahler@×××××××.net> wrote: |
| 6 |
> |
| 7 |
> >If anyone can submit ebuilds and the only way a user can discern between |
| 8 |
> >different ebuilds is by the version number than the following is true: |
| 9 |
> > 1. an ebuild can contain malicious code (worm, virus, etc) |
| 10 |
> > 2. nothing will prevent the user from using a malicious ebuild |
| 11 |
> |
| 12 |
> To end that discussion (I think we both wants almost the same), I'm just at |
| 13 |
> the point to start it simple (with one key for the server). It isn't much |
| 14 |
> work and it it's no problem to extend that later. |
| 15 |
|
| 16 |
There is a problem with having one key. If the server is going to sign its own |
| 17 |
ebuilds, then the password will have to be stored on the server. If |
| 18 |
the server is rooted or someone gets access to the key, then the |
| 19 |
security is broken. |
| 20 |
|
| 21 |
If there is only way key, then all the developers would need to know |
| 22 |
the password, or have only one person sign the ebuilds. Both are |
| 23 |
unacceptable IMO. |
| 24 |
|
| 25 |
The right way of doing this is to sign the gentoo developer's gpg |
| 26 |
key with a master portage key, then check the signatures and trust |
| 27 |
level on the key and package(s). |
| 28 |
|
| 29 |
-ryan |
Archives