Gentoo Archives: gentoo-dev

From: David Masover <masover@×××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] manifests & gpg
Date: Sun, 17 Aug 2003 16:41:39
Message-Id: 1061138498.12717.82.camel@morpheus.masover
1 I have no idea where to post this, so I'll start here. Tell me where
2 this belongs.
4 I see these "manifest" files showing up, which look like checksums for
5 the checksums, or checksums for the metadata, or something. I think the
6 idea is, they help with two goals:
8 1.) Make it faster to generate/manage the metadata.
9 2.) Make the system more secure.
11 If an rsync mirror were to be compromised, or someone just felt like
12 setting up an intentionally compromised one and somehow got it on the
13 list of "official" mirrors, with Portage as it was when I last checked,
14 all you'd have to do is add a new ebuild that was a "critical update" to
15 something like ssh. It's true that it runs as user "portage", but the
16 package eventually has to merge to the filesystem, making it all too
17 easy to install a rootkit on hundreds of systems without really trying.
19 There's also the fact that rsync itself isn't too secure, so I'm sure
20 there's the possibility of a man-in-the-middle attack.
22 It was mentioned on IRC that the manifests, which have checksums for all
23 the valid ebuilds and files, would be gpg-signed, and that the private
24 key would be held by project leaders, while the public key would be
25 installed once -- off the install cd.
27 That's the state if this issue last I checked. A few things that I have
28 no idea of right now are:
30 What about a manifest for all the manifests? It'd be easy enough for a
31 malicious rsync mirror to leave off critical security updates and build
32 a list of people who now don't have those updates, or who have been
33 downgraded to old, broken versions. In order to prevent someone from
34 just brute-forcing it by having an rsync mirror several months out of
35 date in its entirety (not just in one package), the manifests should
36 have dates in them.
38 In order to prevent evil people from just creating their own manifests,
39 you sign them, of course. Aside from the annoyance of making gpg (or
40 maybe virtual/pgp, or something) a base package, this is a good thing.
41 The problem is, how many people have the key? I think there should be,
42 say, a master key, held by, say, drobbins, and following the new
43 management system, each project manager has their own key, and signs the
44 keys of their subordinates.
46 This makes the business of signing a particular manifest the
47 responsibility of whoever is responsible for that package. It should
48 also be possible to, within portage, restrict a key to only certain
49 packages or categories.
51 How it would work is, say I create my own package, app-toys/foobar
52 (appologies if something like this already exists). I manage it and a
53 few things it depends on, sys-libs/foo and sys-libs/bar. My direct
54 supervisor (for simplicity's sake let's say it's drobbins) signs a list
55 of packages and categories I'm allowed to edit, things like maybe a
56 lang-baz category, for the special scripting language used by
57 app-toys/foobar.
59 This is all a bit much for me, so I create and sign my own list,
60 delegating sys-libs/foo to my bro. He can update foo, but so far, only
61 I can update foobar. If I delegate lang-baz/documentation to my mom,
62 she can't change any of the actual software, and my bro (who sucks at
63 writing) can't change any of the documentation. I can still micromanage
64 them if I want, but I probably wouldn't.
66 This cuts down the points of attack from anyone with an rsync mirror to
67 a few rsa keys. Unless someone steals the Master Key from drobbins,
68 it's always possible to do things like rotate everyone else's keys if
69 they get stolen. The only other possibility is someone downloads a
70 tainted iso with the wrong public key. True security freaks can handle
71 this by ordering cds via mail, checking them against downloaded md5sums,
72 and requesting fingerprints over mail. The rest of us can just update
73 when it's ready -- this gives evil people only one shot at thwarting
74 this scheme.
76 Awaiting comments,
77 SanityInAnarchy


File name MIME type
signature.asc application/pgp-signature