1 |
* Alexander Holler <holler@××××××××××.de> [2002-06-07 13:00]: |
2 |
> Hi Jeremiah, |
3 |
> |
4 |
> --On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler |
5 |
> <jmahler@×××××××.net> wrote: |
6 |
> |
7 |
> >If anyone can submit ebuilds and the only way a user can discern between |
8 |
> >different ebuilds is by the version number than the following is true: |
9 |
> > 1. an ebuild can contain malicious code (worm, virus, etc) |
10 |
> > 2. nothing will prevent the user from using a malicious ebuild |
11 |
> |
12 |
> To end that discussion (I think we both wants almost the same), I'm just at |
13 |
> the point to start it simple (with one key for the server). It isn't much |
14 |
> work and it it's no problem to extend that later. |
15 |
|
16 |
There is a problem with having one key. If the server is going to sign its own |
17 |
ebuilds, then the password will have to be stored on the server. If |
18 |
the server is rooted or someone gets access to the key, then the |
19 |
security is broken. |
20 |
|
21 |
If there is only way key, then all the developers would need to know |
22 |
the password, or have only one person sign the ebuilds. Both are |
23 |
unacceptable IMO. |
24 |
|
25 |
The right way of doing this is to sign the gentoo developer's gpg |
26 |
key with a master portage key, then check the signatures and trust |
27 |
level on the key and package(s). |
28 |
|
29 |
-ryan |