1 |
Ciaran McCreesh wrote: |
2 |
> On Thu, 03 Apr 2008 13:17:51 +0100 |
3 |
> Mike Auty <ikelos@g.o> wrote: |
4 |
> |
5 |
>> Ciaran McCreesh wrote: |
6 |
>> | Signing offers no protection against a malicious developer. |
7 |
>> |
8 |
>> I had envisaged a system whereby when the tree was synced, as was some |
9 |
>> kind of master signed list of all acceptable dev-keys. Every package |
10 |
>> would also be signed, and would only be installed when signed. As |
11 |
>> soon as a dev becomes a liability their key is removed from the |
12 |
>> list/revoked. ~ On next sync any packages or package upgrades signed |
13 |
>> after the time of revocation would not be installed. There would be |
14 |
>> a window of vulnerability, but no bigger than with revoking a dev's |
15 |
>> access to the tree. Do you think this would offer suitable |
16 |
>> protection for users from a malicious dev or not? |
17 |
>> |
18 |
> |
19 |
> Nope. In fact, using such a system, there are ways of getting in code |
20 |
> that doesn't get triggered until someone's key gets invalidated. |
21 |
> |
22 |
By this reasoning you shouldn't use passwords ... |
23 |
|
24 |
The idea is to limit the attack vectors and make simple attacks much |
25 |
harder. A sophisticated "hacker" could just rent a busload of angry |
26 |
serbians, kidnap 12 developers and force them to do some subtle changes |
27 |
in many places. But is that likely to happen? |
28 |
> And if you are worrying about malicious developers, you need to worry |
29 |
> about malicious infra people too. An infra member throwing his toys out |
30 |
> of the pram can do much more lasting damage than someone who can get |
31 |
> some global scope nastiness into an ebuild for an hour or two... |
32 |
> |
33 |
That has nothing to do with the discussion ... and I don't see how infra |
34 |
could manipulate the signatures in a useful way apart from adding keys |
35 |
or removing some from the official keyring ... |
36 |
This they could do at the moment by manipulating the cvs to rsync copy |
37 |
process, but I'm not aware of something like that happening. So you |
38 |
might want to have a marginal trust in people and not accuse them of |
39 |
things they might do in the future ... |
40 |
|
41 |
|
42 |
-- |
43 |
gentoo-dev@l.g.o mailing list |