| 1 |
On Mon, Jul 2, 2018 at 7:57 PM Rich Freeman <rich0@g.o> wrote: |
| 2 |
> This only helps you if a dev you don't trust is compromised. If a dev |
| 3 |
> you trust is compromised, they can modify anything in the tree and |
| 4 |
> you're hosed. |
| 5 |
|
| 6 |
Yes indeed. This is more or less what we're aiming for. Putting the |
| 7 |
trust in developers. The goal is for infra not to be the weak link in |
| 8 |
this, as it currently is. |
| 9 |
|
| 10 |
> Sure, I'd prefer to not extract git signatures and just distribute via |
| 11 |
> git purely without any rsync. |
| 12 |
|
| 13 |
Yea, I personally don't really care much for rsync either. I've just |
| 14 |
kind of been assuming this is a requirement of any gentoo solution. |
| 15 |
But maybe this whole thing should take another dimension, and we |
| 16 |
should instead talk about sunsetting rsync, and moving to a model of: |
| 17 |
1) git fetch, 2) git verify, 3) git checkout? There still might be |
| 18 |
problems with "untrusting" devs, as I wrote above, but perhaps there's |
| 19 |
room to grow within the git framework, by manually filtering commits |
| 20 |
during checkout, or even by imposing ebuild directory signature-based |
| 21 |
ACLs that I think you were hinting at before. So, sure, if you want to |
| 22 |
call for an abolition of rsync, maybe I'd follow you in that direction |
| 23 |
instead of the one here I'm proposing. |
| 24 |
|
| 25 |
|
| 26 |
> |
| 27 |
> Sure, but since any developer can change any file, that is basically |
| 28 |
> the same thing. If somebody steals a single dev's key they can just |
| 29 |
> rootkit any file of their choosing, sign that one change, and it will |
| 30 |
> slip through any of these methods. The only protection against that |
| 31 |
> is tracking who is allowed to touch what files, and then you're still |
| 32 |
> hosed if a dev for a widely-used file gets their key stolen. |
| 33 |
|
| 34 |
As stated above, yes, this is the intended model. And I think it's |
| 35 |
considerably better than the current state of affairs. The threats get |
| 36 |
even less scary as we convince Nitrokey or Yubikey to send all gentoo |
| 37 |
developers free devices, and then mandate keys remain on those devices |
| 38 |
and never get copied, etc etc. |
Archives