1 |
I have no idea where to post this, so I'll start here. Tell me where |
2 |
this belongs. |
3 |
|
4 |
I see these "manifest" files showing up, which look like checksums for |
5 |
the checksums, or checksums for the metadata, or something. I think the |
6 |
idea is, they help with two goals: |
7 |
|
8 |
1.) Make it faster to generate/manage the metadata. |
9 |
2.) Make the system more secure. |
10 |
|
11 |
If an rsync mirror were to be compromised, or someone just felt like |
12 |
setting up an intentionally compromised one and somehow got it on the |
13 |
list of "official" mirrors, with Portage as it was when I last checked, |
14 |
all you'd have to do is add a new ebuild that was a "critical update" to |
15 |
something like ssh. It's true that it runs as user "portage", but the |
16 |
package eventually has to merge to the filesystem, making it all too |
17 |
easy to install a rootkit on hundreds of systems without really trying. |
18 |
|
19 |
There's also the fact that rsync itself isn't too secure, so I'm sure |
20 |
there's the possibility of a man-in-the-middle attack. |
21 |
|
22 |
It was mentioned on IRC that the manifests, which have checksums for all |
23 |
the valid ebuilds and files, would be gpg-signed, and that the private |
24 |
key would be held by project leaders, while the public key would be |
25 |
installed once -- off the install cd. |
26 |
|
27 |
That's the state if this issue last I checked. A few things that I have |
28 |
no idea of right now are: |
29 |
|
30 |
What about a manifest for all the manifests? It'd be easy enough for a |
31 |
malicious rsync mirror to leave off critical security updates and build |
32 |
a list of people who now don't have those updates, or who have been |
33 |
downgraded to old, broken versions. In order to prevent someone from |
34 |
just brute-forcing it by having an rsync mirror several months out of |
35 |
date in its entirety (not just in one package), the manifests should |
36 |
have dates in them. |
37 |
|
38 |
In order to prevent evil people from just creating their own manifests, |
39 |
you sign them, of course. Aside from the annoyance of making gpg (or |
40 |
maybe virtual/pgp, or something) a base package, this is a good thing. |
41 |
The problem is, how many people have the key? I think there should be, |
42 |
say, a master key, held by, say, drobbins, and following the new |
43 |
management system, each project manager has their own key, and signs the |
44 |
keys of their subordinates. |
45 |
|
46 |
This makes the business of signing a particular manifest the |
47 |
responsibility of whoever is responsible for that package. It should |
48 |
also be possible to, within portage, restrict a key to only certain |
49 |
packages or categories. |
50 |
|
51 |
How it would work is, say I create my own package, app-toys/foobar |
52 |
(appologies if something like this already exists). I manage it and a |
53 |
few things it depends on, sys-libs/foo and sys-libs/bar. My direct |
54 |
supervisor (for simplicity's sake let's say it's drobbins) signs a list |
55 |
of packages and categories I'm allowed to edit, things like maybe a |
56 |
lang-baz category, for the special scripting language used by |
57 |
app-toys/foobar. |
58 |
|
59 |
This is all a bit much for me, so I create and sign my own list, |
60 |
delegating sys-libs/foo to my bro. He can update foo, but so far, only |
61 |
I can update foobar. If I delegate lang-baz/documentation to my mom, |
62 |
she can't change any of the actual software, and my bro (who sucks at |
63 |
writing) can't change any of the documentation. I can still micromanage |
64 |
them if I want, but I probably wouldn't. |
65 |
|
66 |
This cuts down the points of attack from anyone with an rsync mirror to |
67 |
a few rsa keys. Unless someone steals the Master Key from drobbins, |
68 |
it's always possible to do things like rotate everyone else's keys if |
69 |
they get stolen. The only other possibility is someone downloads a |
70 |
tainted iso with the wrong public key. True security freaks can handle |
71 |
this by ordering cds via mail, checking them against downloaded md5sums, |
72 |
and requesting fingerprints over mail. The rest of us can just update |
73 |
when it's ready -- this gives evil people only one shot at thwarting |
74 |
this scheme. |
75 |
|
76 |
Awaiting comments, |
77 |
SanityInAnarchy |