1 |
On Sun, May 01, 2011 at 11:23:40PM +0000, Duncan wrote: |
2 |
> What about having a dedicated server-based changlog-signing key? That's |
3 |
> still a lot of signing with a single key, but as you observed, the hazards |
4 |
> of a loss of integrity there aren't as high as with most of the tree |
5 |
> content. It'd require changes, but I don't believe they're out of line |
6 |
> with that required for the rest of the proposal. |
7 |
|
8 |
It means the only real trust that clients can level is on that key- |
9 |
since it will be the last signer (thus /the/ signer) across all pkgs. |
10 |
|
11 |
Get at that key, and you've got the tree, versus the current form, |
12 |
crack all signing keys and you've got the tree. |
13 |
|
14 |
Mind you this is ignoring eclasses, but getting eclasses sorted will |
15 |
be mildly pointless if the rest of the solution has been |
16 |
weakened/gutted since. |
17 |
|
18 |
Point is, it's not *just* about having a signature on it- it's about |
19 |
mapping the trust of that signature back, and sectioning/containing |
20 |
compromises. What y'all are suggesting guts that layered defense. |
21 |
~brian |