| 1 |
On Sun, May 1, 2011 at 7:31 PM, Brian Harring <ferringb@×××××.com> wrote: |
| 2 |
> Get at that key, and you've got the tree, versus the current form, |
| 3 |
> crack all signing keys and you've got the tree. |
| 4 |
|
| 5 |
Well, more like get any one of the keys and you get the tree, since |
| 6 |
portage only validates that a trusted key signed a package, and not |
| 7 |
that the key belonged to the package maintainer. |
| 8 |
|
| 9 |
In any case, the whole way that manifest signing works does not really |
| 10 |
preserve a signature from end-to-end. If I sign three files and |
| 11 |
somebody else signs two files, they end up overwriting my signature. |
| 12 |
|
| 13 |
So, if a mirror checks all the sigs, makes a change, and re-signs with |
| 14 |
its own key that isn't much less secure than what we have now. I |
| 15 |
wouldn't actually distribute the work all the way to the mirrors |
| 16 |
though - I'd have a central server generate the changelogs, sign them, |
| 17 |
and then propagate that to the mirror network. You just need to |
| 18 |
protect that one server really well then. |
| 19 |
|
| 20 |
If you really want to have dev->user trust with no broken links then |
| 21 |
the signatures would need to be associated with each file - not just |
| 22 |
the whole manifest. Plus, the local portage would need to check the |
| 23 |
metadata cache for consistency. |
| 24 |
|
| 25 |
In any case, I see manifest signing as a relatively minor issue here. |
| 26 |
It seems like the more fundamental debate is how much metadata we |
| 27 |
really should be distributing all the way to end-user systems, vs |
| 28 |
keeping it in a repository like a cvs log. Sure, offline access is |
| 29 |
useful, but the question is whether it is useful enough. |
| 30 |
|
| 31 |
My personal feeling is that we should keep the changelogs as-is, and |
| 32 |
include removals, until we're on git. Then we should re-evaluate. |
| 33 |
|
| 34 |
Rich |
Archives