1 |
I think the idea of a central key controlling everything is bad - this means |
2 |
one person is ultimately responsible for the portage tree, and compromising |
3 |
this will allow access to everything. It would be better if every gentoo |
4 |
developer had a gpg key. Each package in the portage tree would then have |
5 |
a .gpg file which lists signatures for the package digest which contains |
6 |
hashes of each ebuild, files/*, and downloaded distfiles, and a permissions |
7 |
section listing who has access to make modifications to this dir (such as |
8 |
writing new ebuilds). People who already have access to a package are then |
9 |
free to grant access to others merely by inserting their public key into this |
10 |
file. emerge sync would have to be modified so that it checks signatures |
11 |
before files are updated. |
12 |
|
13 |
Important packages may require multiple signatures before a file is installed |
14 |
- this is to eliminate the possibility that a compromise of a single gentoo |
15 |
developer will hand root access to every gentoo installed system. At the |
16 |
moment, every developer is a point of cvs write access from which an attacker |
17 |
could root many gentoo installations. |
18 |
|
19 |
The key downloads, checking, revocation etc. would be handled by the existing |
20 |
gpg keyserver infrastructure (eg. keyserver.net). There is no need for an all |
21 |
powerful gentoo key, or even distribution system. Simply have emerge call gpg |
22 |
to do everything. |
23 |
|
24 |
This only really requires changes to the emerge sync process and a developer |
25 |
script to check, sign, and post changes. Everything else can be handed off to |
26 |
gpg. It would also enable some more exciting distribution methods like RSS |
27 |
channels listing new signed files in portage along with a p2p backend to |
28 |
fetch them, automatic security updates, etc. |
29 |
|
30 |
On Tuesday 23 March 2004 13:12, Paul de Vrieze wrote: |
31 |
|
32 |
> Ok, the biggest problem is an idea for how the actual checking should |
33 |
> function. (Signing is straightforward). |
34 |
> |
35 |
> I'll take a first shot at describing a key chain idea. Please shoot at it |
36 |
> and try to find the holes. But remember it needs to stay workable. First |
37 |
> the premises: |
38 |
|
39 |
-- |
40 |
gentoo-dev@g.o mailing list |