| 1 |
I think the idea of a central key controlling everything is bad - this means |
| 2 |
one person is ultimately responsible for the portage tree, and compromising |
| 3 |
this will allow access to everything. It would be better if every gentoo |
| 4 |
developer had a gpg key. Each package in the portage tree would then have |
| 5 |
a .gpg file which lists signatures for the package digest which contains |
| 6 |
hashes of each ebuild, files/*, and downloaded distfiles, and a permissions |
| 7 |
section listing who has access to make modifications to this dir (such as |
| 8 |
writing new ebuilds). People who already have access to a package are then |
| 9 |
free to grant access to others merely by inserting their public key into this |
| 10 |
file. emerge sync would have to be modified so that it checks signatures |
| 11 |
before files are updated. |
| 12 |
|
| 13 |
Important packages may require multiple signatures before a file is installed |
| 14 |
- this is to eliminate the possibility that a compromise of a single gentoo |
| 15 |
developer will hand root access to every gentoo installed system. At the |
| 16 |
moment, every developer is a point of cvs write access from which an attacker |
| 17 |
could root many gentoo installations. |
| 18 |
|
| 19 |
The key downloads, checking, revocation etc. would be handled by the existing |
| 20 |
gpg keyserver infrastructure (eg. keyserver.net). There is no need for an all |
| 21 |
powerful gentoo key, or even distribution system. Simply have emerge call gpg |
| 22 |
to do everything. |
| 23 |
|
| 24 |
This only really requires changes to the emerge sync process and a developer |
| 25 |
script to check, sign, and post changes. Everything else can be handed off to |
| 26 |
gpg. It would also enable some more exciting distribution methods like RSS |
| 27 |
channels listing new signed files in portage along with a p2p backend to |
| 28 |
fetch them, automatic security updates, etc. |
| 29 |
|
| 30 |
On Tuesday 23 March 2004 13:12, Paul de Vrieze wrote: |
| 31 |
|
| 32 |
> Ok, the biggest problem is an idea for how the actual checking should |
| 33 |
> function. (Signing is straightforward). |
| 34 |
> |
| 35 |
> I'll take a first shot at describing a key chain idea. Please shoot at it |
| 36 |
> and try to find the holes. But remember it needs to stay workable. First |
| 37 |
> the premises: |
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-dev@g.o mailing list |
Archives