1 |
Overall I very much like the concept, but I might propose a few tweaks |
2 |
(just quoting the stuff that might benefit from adjustment): |
3 |
|
4 |
On Mon, Jul 2, 2018 at 11:36 AM Jason A. Donenfeld <zx2c4@g.o> wrote: |
5 |
> |
6 |
> - Sign every file in the portage tree so that it has a corresponding |
7 |
> .asc. Repoman will need support for this. |
8 |
> - Ensure the naming scheme of portage files is sufficiently strict, so |
9 |
> that renaming or re-parenting signed files doesn't result in RCE. [*] |
10 |
> - Distribute said .asc files with rsync per usual. |
11 |
|
12 |
This has two issues: |
13 |
|
14 |
1. It requires changes to the repos/infra/etc to work, which means it |
15 |
is painful to just pilot/etc and grow organically. |
16 |
2. It is 99% redundant with the git signatures we already have. |
17 |
|
18 |
Why not build this off of git signatures? This could be done directly |
19 |
by syncing via git, or by having a tool that extracts the git |
20 |
signatures and stores the metadata in the repo (ideally done by infra |
21 |
before mirroring, but it could be done after the fact as well). Git |
22 |
is just content-hashed, so as long as the files aren't modified you |
23 |
should be able to verify the git content hash against a repo synced |
24 |
outside of git, assuming no modifications (obviously this means |
25 |
accounting for stuff like metadata that infra adds after the fact). |
26 |
You still need a solution for metadata in your original proposal |
27 |
anyway. |
28 |
|
29 |
The only downside I see to git signatures is how far back to go to |
30 |
check history. With the .asc solution you'd remove the signatures |
31 |
when you remove the files they pertain to. With git there is no |
32 |
trivial way to know when to stop going back with the signature |
33 |
verfiication since every signature applies to a mix of both current |
34 |
and subsequently-removed files, with the percentage of each slowly |
35 |
shifting as you go back further in time. That said if you just track |
36 |
the last known-good sync you could just check the subsequent |
37 |
signatures, which would be very efficient (probably more efficient |
38 |
than checking all of rsync unless you sync very infrequently). |
39 |
|
40 |
> - Never rsync into the /usr/portage directory, but rather into an |
41 |
> unused shadow directory, and only copy files from the shadow directory |
42 |
> into /usr/portage after verification succeeds. (The fact that those |
43 |
> files are visible to portage prior to verification and following a |
44 |
> failed verification is a shameful oversight of the current system.) |
45 |
|
46 |
I certainly agree that /usr/portage being usable if it fails |
47 |
verification is a major weakness right now. |
48 |
|
49 |
Other alternatives to your proposal include: |
50 |
|
51 |
1. Store state somewhere that portage checks. It is invalidated |
52 |
before starting a sync, and set back to "secure" after verification. |
53 |
2. Store a last-known-good hash if using git signature checking. |
54 |
Portage would check the current tree state against this in all |
55 |
operations. |
56 |
3. Have portage check signatures on all files it access at the time |
57 |
of access. This would make portage safe to use even in a compromised |
58 |
tree. |
59 |
|
60 |
Especially options 1/2 are going to be more efficient than copying |
61 |
files at the filesystem level from a scratch location. Also, all |
62 |
three options would be compatible with git syncing, while trying to |
63 |
copy a git repo after the sync would probably be messier (though still |
64 |
possible). |
65 |
|
66 |
But, I have no objection to your original proposal either - I'd prefer |
67 |
it to what we have today at least for rsync. |
68 |
|
69 |
In general I do advocate giving serious consideration to the benefits |
70 |
of syncing via git. If you sync frequently (which most Gentoo users |
71 |
probably do, and which we generally advocate), then it tends to be a |
72 |
lot more efficient than rsync. It naturally tracks changes over time |
73 |
as well, so it fits in very well with merging untrusted changes into a |
74 |
known-good tree, as only the changes need to be verified. |
75 |
|
76 |
The main downside to git signature checking is sha1. It baffles me |
77 |
that nobody has bothered to fix this, especially since I'd think it |
78 |
would be pretty simple to do. Just designate new tree/blob/parent |
79 |
record types that use the new hash - like tree256/blob256/parent256. |
80 |
Git would use the appropriate hash when following references, so you |
81 |
could have continuity in a repository with older sha1 commits and |
82 |
newer sha256 ones. Obviously the newer repos would be incompatible |
83 |
with older versions of git, but anything like this would be phased in, |
84 |
and updating git isn't particularly painful. Projects that care about |
85 |
the security could consider rebasing the entire thing, but that would |
86 |
of course discard history. Presumably you could even do a merge where |
87 |
one branch of the merge is the original untouched sha1 commits, and |
88 |
the other branch is the rebased sha-256 commits, and the merge ties |
89 |
them together into a forward-going sha256 history. |
90 |
|
91 |
-- |
92 |
Rich |