| 1 |
* Paul de Vrieze (pauldv@g.o) wrote: |
| 2 |
> Date: Wed, 24 Mar 2004 11:55:52 +0100 |
| 3 |
> From: Paul de Vrieze <pauldv@g.o> |
| 4 |
> To: gentoo-dev@l.g.o |
| 5 |
> User-Agent: KMail/1.6.1 |
| 6 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
| 7 |
> Subject: Re: [gentoo-dev] 2004.1 will not include a secure portage. |
| 8 |
> |
| 9 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 10 |
> Hash: SHA1 |
| 11 |
> |
| 12 |
> On Wednesday 24 March 2004 01:09, Chris Bainbridge wrote: |
| 13 |
> > I think the idea of a central key controlling everything is bad - this |
| 14 |
> > means one person is ultimately responsible for the portage tree, and |
| 15 |
> > compromising this will allow access to everything. It would be better |
| 16 |
> > if every gentoo developer had a gpg key. Each package in the portage |
| 17 |
> > tree would then have a .gpg file which lists signatures for the |
| 18 |
> > package digest which contains hashes of each ebuild, files/*, and |
| 19 |
> > downloaded distfiles, and a permissions section listing who has access |
| 20 |
> > to make modifications to this dir (such as writing new ebuilds). |
| 21 |
> > People who already have access to a package are then free to grant |
| 22 |
> > access to others merely by inserting their public key into this file. |
| 23 |
> > emerge sync would have to be modified so that it checks signatures |
| 24 |
> > before files are updated. |
| 25 |
> |
| 26 |
> We have a master key that does nothing but sign a more shortlived |
| 27 |
> "signing" key. This signing key which is also highly restricted is only |
| 28 |
> used to list which keys are acceptable to sign packages. Every dev will |
| 29 |
> still have his own key (and only access to this key). |
| 30 |
> |
| 31 |
> Changing emerge sync is not really an option. There are two problems with |
| 32 |
> your idea: |
| 33 |
> - - How do I know that the permissions file is actually valid as it is |
| 34 |
> self-signed. |
| 35 |
> - - It seriously expands the tree. |
| 36 |
> - - We currently don't want a package based security level. |
| 37 |
> |
| 38 |
> > Important packages may require multiple signatures before a file is |
| 39 |
> > installed - this is to eliminate the possibility that a compromise of |
| 40 |
> > a single gentoo developer will hand root access to every gentoo |
| 41 |
> > installed system. At the moment, every developer is a point of cvs |
| 42 |
> > write access from which an attacker could root many gentoo |
| 43 |
> > installations. |
| 44 |
> |
| 45 |
> A compromise of any ebuild is able to do that so package based security |
| 46 |
> will not solve much of this problem. |
| 47 |
|
| 48 |
um per package security with multiple sigs definatly prevents a single dev or dev key from compromising integrity. Asuming that ememger on sync or on build is forced to check for multiple sigs, and then yell/scream if somthing only has one or none etc. Of course that would have to be somthing settable in make.conf etc. This does not however solve the event of a malicious comspiracy. |
| 49 |
|
| 50 |
> |
| 51 |
> > The key downloads, checking, revocation etc. would be handled by the |
| 52 |
> > existing gpg keyserver infrastructure (eg. keyserver.net). There is no |
| 53 |
> > need for an all powerful gentoo key, or even distribution system. |
| 54 |
> > Simply have emerge call gpg to do everything. |
| 55 |
> |
| 56 |
> That's not really possible. For one signing a key in gpg means that you |
| 57 |
> verified that this person is who he says he is. The keychain does not |
| 58 |
> have such a meaning it means: the person belonging to this key is |
| 59 |
> allowed to approve packages in the tree. That does not guarantee that |
| 60 |
> the person is who he says he is, except that we are confident this |
| 61 |
> person is a gentoo developer (he has access to gentoo cvs etc). |
| 62 |
|
| 63 |
well part of gettin your dev key into the keyring in the firsplace would require that you go through some sort of verification. this is true weather or not your issuing certs or gpg keys, and the persons pasphrase is what is verify weather or not he/she is who they say they are, unless you propose sending biometric devices to every dev i don't see how you can do this with any more confidence any other way. Debian has a nice process for gpg key submittals: http://www.debian.org/devel/join/nm-step2 |
| 64 |
|
| 65 |
> |
| 66 |
> Also the gpg infrastructure does not provide any way to say who is |
| 67 |
> actually allowed to sign packages, it just enables to identify who |
| 68 |
> signed it, and it enables people to say I signed it as I can sign |
| 69 |
> something which can be decoded with the same public key. |
| 70 |
|
| 71 |
well you can have a list of valid sigs for a particular package. defining whose allowed to sign a that "package", but really your asking for some ACL's here related to users and whatnot. which should be enforced in your rcs not really by your signing system IMHO. |
| 72 |
|
| 73 |
> |
| 74 |
> > This only really requires changes to the emerge sync process and a |
| 75 |
> > developer script to check, sign, and post changes. Everything else can |
| 76 |
> > be handed off to gpg. It would also enable some more exciting |
| 77 |
> > distribution methods like RSS channels listing new signed files in |
| 78 |
> > portage along with a p2p backend to fetch them, automatic security |
| 79 |
> > updates, etc. |
| 80 |
> |
| 81 |
> p2p and rss are completely independent of the signing problem and signing |
| 82 |
> does not enable or disable the use of these systems. |
| 83 |
|
| 84 |
actually p2p distribution in combination with multiple sigs lend to each other quite well. Once a file or set of files is signed by 3 parties @ those sigs are part of your installed gentoo keyring (and verifiable outside that). you can have pretty high confidence that what your pulling from joe users box is prsitine (pristine being what the gentoo devs had released/signed etc). |
| 85 |
|
| 86 |
http://www.ugcs.caltech.edu/~wtanaka/java/Byzantine.html |
| 87 |
|
| 88 |
original paper: |
| 89 |
http://citeseer.ist.psu.edu/lamport82byzantine.html |
| 90 |
The Byzantine Generals Problem (1982) |
| 91 |
Leslie Lamport, Robert Shostak, Marshall Pease |
| 92 |
|
| 93 |
> |
| 94 |
> Paul |
| 95 |
> |
| 96 |
> - -- |
| 97 |
> Paul de Vrieze |
| 98 |
> Gentoo Developer |
| 99 |
> Mail: pauldv@g.o |
| 100 |
> Homepage: http://www.devrieze.net |
| 101 |
> -----BEGIN PGP SIGNATURE----- |
| 102 |
> Version: GnuPG v1.2.4 (GNU/Linux) |
| 103 |
> |
| 104 |
> iD8DBQFAYWk4bKx5DBjWFdsRAoReAJ9/zIwAekxYhcbBmi7y3Iasx3XfnQCgqLI9 |
| 105 |
> 5eYehXbC9nlrkzqefQJh+Bk= |
| 106 |
> =gH/a |
| 107 |
> -----END PGP SIGNATURE----- |
| 108 |
> |
| 109 |
> -- |
| 110 |
> gentoo-dev@g.o mailing list |
| 111 |
> |
| 112 |
> |
| 113 |
|
| 114 |
-- |
| 115 |
gentoo-dev@g.o mailing list |
Archives