| 1 |
I have no idea where to post this, so I'll start here. Tell me where |
| 2 |
this belongs. |
| 3 |
|
| 4 |
I see these "manifest" files showing up, which look like checksums for |
| 5 |
the checksums, or checksums for the metadata, or something. I think the |
| 6 |
idea is, they help with two goals: |
| 7 |
|
| 8 |
1.) Make it faster to generate/manage the metadata. |
| 9 |
2.) Make the system more secure. |
| 10 |
|
| 11 |
If an rsync mirror were to be compromised, or someone just felt like |
| 12 |
setting up an intentionally compromised one and somehow got it on the |
| 13 |
list of "official" mirrors, with Portage as it was when I last checked, |
| 14 |
all you'd have to do is add a new ebuild that was a "critical update" to |
| 15 |
something like ssh. It's true that it runs as user "portage", but the |
| 16 |
package eventually has to merge to the filesystem, making it all too |
| 17 |
easy to install a rootkit on hundreds of systems without really trying. |
| 18 |
|
| 19 |
There's also the fact that rsync itself isn't too secure, so I'm sure |
| 20 |
there's the possibility of a man-in-the-middle attack. |
| 21 |
|
| 22 |
It was mentioned on IRC that the manifests, which have checksums for all |
| 23 |
the valid ebuilds and files, would be gpg-signed, and that the private |
| 24 |
key would be held by project leaders, while the public key would be |
| 25 |
installed once -- off the install cd. |
| 26 |
|
| 27 |
That's the state if this issue last I checked. A few things that I have |
| 28 |
no idea of right now are: |
| 29 |
|
| 30 |
What about a manifest for all the manifests? It'd be easy enough for a |
| 31 |
malicious rsync mirror to leave off critical security updates and build |
| 32 |
a list of people who now don't have those updates, or who have been |
| 33 |
downgraded to old, broken versions. In order to prevent someone from |
| 34 |
just brute-forcing it by having an rsync mirror several months out of |
| 35 |
date in its entirety (not just in one package), the manifests should |
| 36 |
have dates in them. |
| 37 |
|
| 38 |
In order to prevent evil people from just creating their own manifests, |
| 39 |
you sign them, of course. Aside from the annoyance of making gpg (or |
| 40 |
maybe virtual/pgp, or something) a base package, this is a good thing. |
| 41 |
The problem is, how many people have the key? I think there should be, |
| 42 |
say, a master key, held by, say, drobbins, and following the new |
| 43 |
management system, each project manager has their own key, and signs the |
| 44 |
keys of their subordinates. |
| 45 |
|
| 46 |
This makes the business of signing a particular manifest the |
| 47 |
responsibility of whoever is responsible for that package. It should |
| 48 |
also be possible to, within portage, restrict a key to only certain |
| 49 |
packages or categories. |
| 50 |
|
| 51 |
How it would work is, say I create my own package, app-toys/foobar |
| 52 |
(appologies if something like this already exists). I manage it and a |
| 53 |
few things it depends on, sys-libs/foo and sys-libs/bar. My direct |
| 54 |
supervisor (for simplicity's sake let's say it's drobbins) signs a list |
| 55 |
of packages and categories I'm allowed to edit, things like maybe a |
| 56 |
lang-baz category, for the special scripting language used by |
| 57 |
app-toys/foobar. |
| 58 |
|
| 59 |
This is all a bit much for me, so I create and sign my own list, |
| 60 |
delegating sys-libs/foo to my bro. He can update foo, but so far, only |
| 61 |
I can update foobar. If I delegate lang-baz/documentation to my mom, |
| 62 |
she can't change any of the actual software, and my bro (who sucks at |
| 63 |
writing) can't change any of the documentation. I can still micromanage |
| 64 |
them if I want, but I probably wouldn't. |
| 65 |
|
| 66 |
This cuts down the points of attack from anyone with an rsync mirror to |
| 67 |
a few rsa keys. Unless someone steals the Master Key from drobbins, |
| 68 |
it's always possible to do things like rotate everyone else's keys if |
| 69 |
they get stolen. The only other possibility is someone downloads a |
| 70 |
tainted iso with the wrong public key. True security freaks can handle |
| 71 |
this by ordering cds via mail, checking them against downloaded md5sums, |
| 72 |
and requesting fingerprints over mail. The rest of us can just update |
| 73 |
when it's ready -- this gives evil people only one shot at thwarting |
| 74 |
this scheme. |
| 75 |
|
| 76 |
Awaiting comments, |
| 77 |
SanityInAnarchy |
Archives