| 1 |
Overall I very much like the concept, but I might propose a few tweaks |
| 2 |
(just quoting the stuff that might benefit from adjustment): |
| 3 |
|
| 4 |
On Mon, Jul 2, 2018 at 11:36 AM Jason A. Donenfeld <zx2c4@g.o> wrote: |
| 5 |
> |
| 6 |
> - Sign every file in the portage tree so that it has a corresponding |
| 7 |
> .asc. Repoman will need support for this. |
| 8 |
> - Ensure the naming scheme of portage files is sufficiently strict, so |
| 9 |
> that renaming or re-parenting signed files doesn't result in RCE. [*] |
| 10 |
> - Distribute said .asc files with rsync per usual. |
| 11 |
|
| 12 |
This has two issues: |
| 13 |
|
| 14 |
1. It requires changes to the repos/infra/etc to work, which means it |
| 15 |
is painful to just pilot/etc and grow organically. |
| 16 |
2. It is 99% redundant with the git signatures we already have. |
| 17 |
|
| 18 |
Why not build this off of git signatures? This could be done directly |
| 19 |
by syncing via git, or by having a tool that extracts the git |
| 20 |
signatures and stores the metadata in the repo (ideally done by infra |
| 21 |
before mirroring, but it could be done after the fact as well). Git |
| 22 |
is just content-hashed, so as long as the files aren't modified you |
| 23 |
should be able to verify the git content hash against a repo synced |
| 24 |
outside of git, assuming no modifications (obviously this means |
| 25 |
accounting for stuff like metadata that infra adds after the fact). |
| 26 |
You still need a solution for metadata in your original proposal |
| 27 |
anyway. |
| 28 |
|
| 29 |
The only downside I see to git signatures is how far back to go to |
| 30 |
check history. With the .asc solution you'd remove the signatures |
| 31 |
when you remove the files they pertain to. With git there is no |
| 32 |
trivial way to know when to stop going back with the signature |
| 33 |
verfiication since every signature applies to a mix of both current |
| 34 |
and subsequently-removed files, with the percentage of each slowly |
| 35 |
shifting as you go back further in time. That said if you just track |
| 36 |
the last known-good sync you could just check the subsequent |
| 37 |
signatures, which would be very efficient (probably more efficient |
| 38 |
than checking all of rsync unless you sync very infrequently). |
| 39 |
|
| 40 |
> - Never rsync into the /usr/portage directory, but rather into an |
| 41 |
> unused shadow directory, and only copy files from the shadow directory |
| 42 |
> into /usr/portage after verification succeeds. (The fact that those |
| 43 |
> files are visible to portage prior to verification and following a |
| 44 |
> failed verification is a shameful oversight of the current system.) |
| 45 |
|
| 46 |
I certainly agree that /usr/portage being usable if it fails |
| 47 |
verification is a major weakness right now. |
| 48 |
|
| 49 |
Other alternatives to your proposal include: |
| 50 |
|
| 51 |
1. Store state somewhere that portage checks. It is invalidated |
| 52 |
before starting a sync, and set back to "secure" after verification. |
| 53 |
2. Store a last-known-good hash if using git signature checking. |
| 54 |
Portage would check the current tree state against this in all |
| 55 |
operations. |
| 56 |
3. Have portage check signatures on all files it access at the time |
| 57 |
of access. This would make portage safe to use even in a compromised |
| 58 |
tree. |
| 59 |
|
| 60 |
Especially options 1/2 are going to be more efficient than copying |
| 61 |
files at the filesystem level from a scratch location. Also, all |
| 62 |
three options would be compatible with git syncing, while trying to |
| 63 |
copy a git repo after the sync would probably be messier (though still |
| 64 |
possible). |
| 65 |
|
| 66 |
But, I have no objection to your original proposal either - I'd prefer |
| 67 |
it to what we have today at least for rsync. |
| 68 |
|
| 69 |
In general I do advocate giving serious consideration to the benefits |
| 70 |
of syncing via git. If you sync frequently (which most Gentoo users |
| 71 |
probably do, and which we generally advocate), then it tends to be a |
| 72 |
lot more efficient than rsync. It naturally tracks changes over time |
| 73 |
as well, so it fits in very well with merging untrusted changes into a |
| 74 |
known-good tree, as only the changes need to be verified. |
| 75 |
|
| 76 |
The main downside to git signature checking is sha1. It baffles me |
| 77 |
that nobody has bothered to fix this, especially since I'd think it |
| 78 |
would be pretty simple to do. Just designate new tree/blob/parent |
| 79 |
record types that use the new hash - like tree256/blob256/parent256. |
| 80 |
Git would use the appropriate hash when following references, so you |
| 81 |
could have continuity in a repository with older sha1 commits and |
| 82 |
newer sha256 ones. Obviously the newer repos would be incompatible |
| 83 |
with older versions of git, but anything like this would be phased in, |
| 84 |
and updating git isn't particularly painful. Projects that care about |
| 85 |
the security could consider rebasing the entire thing, but that would |
| 86 |
of course discard history. Presumably you could even do a merge where |
| 87 |
one branch of the merge is the original untouched sha1 commits, and |
| 88 |
the other branch is the rebased sha-256 commits, and the merge ties |
| 89 |
them together into a forward-going sha256 history. |
| 90 |
|
| 91 |
-- |
| 92 |
Rich |
Archives