| 1 |
Ciaran McCreesh wrote: |
| 2 |
> On Thu, 03 Apr 2008 13:17:51 +0100 |
| 3 |
> Mike Auty <ikelos@g.o> wrote: |
| 4 |
> |
| 5 |
>> Ciaran McCreesh wrote: |
| 6 |
>> | Signing offers no protection against a malicious developer. |
| 7 |
>> |
| 8 |
>> I had envisaged a system whereby when the tree was synced, as was some |
| 9 |
>> kind of master signed list of all acceptable dev-keys. Every package |
| 10 |
>> would also be signed, and would only be installed when signed. As |
| 11 |
>> soon as a dev becomes a liability their key is removed from the |
| 12 |
>> list/revoked. ~ On next sync any packages or package upgrades signed |
| 13 |
>> after the time of revocation would not be installed. There would be |
| 14 |
>> a window of vulnerability, but no bigger than with revoking a dev's |
| 15 |
>> access to the tree. Do you think this would offer suitable |
| 16 |
>> protection for users from a malicious dev or not? |
| 17 |
>> |
| 18 |
> |
| 19 |
> Nope. In fact, using such a system, there are ways of getting in code |
| 20 |
> that doesn't get triggered until someone's key gets invalidated. |
| 21 |
> |
| 22 |
By this reasoning you shouldn't use passwords ... |
| 23 |
|
| 24 |
The idea is to limit the attack vectors and make simple attacks much |
| 25 |
harder. A sophisticated "hacker" could just rent a busload of angry |
| 26 |
serbians, kidnap 12 developers and force them to do some subtle changes |
| 27 |
in many places. But is that likely to happen? |
| 28 |
> And if you are worrying about malicious developers, you need to worry |
| 29 |
> about malicious infra people too. An infra member throwing his toys out |
| 30 |
> of the pram can do much more lasting damage than someone who can get |
| 31 |
> some global scope nastiness into an ebuild for an hour or two... |
| 32 |
> |
| 33 |
That has nothing to do with the discussion ... and I don't see how infra |
| 34 |
could manipulate the signatures in a useful way apart from adding keys |
| 35 |
or removing some from the official keyring ... |
| 36 |
This they could do at the moment by manipulating the cvs to rsync copy |
| 37 |
process, but I'm not aware of something like that happening. So you |
| 38 |
might want to have a marginal trust in people and not accuse them of |
| 39 |
things they might do in the future ... |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-dev@l.g.o mailing list |
Archives