1 |
On Mon, Jul 2, 2018 at 7:57 PM Rich Freeman <rich0@g.o> wrote: |
2 |
> This only helps you if a dev you don't trust is compromised. If a dev |
3 |
> you trust is compromised, they can modify anything in the tree and |
4 |
> you're hosed. |
5 |
|
6 |
Yes indeed. This is more or less what we're aiming for. Putting the |
7 |
trust in developers. The goal is for infra not to be the weak link in |
8 |
this, as it currently is. |
9 |
|
10 |
> Sure, I'd prefer to not extract git signatures and just distribute via |
11 |
> git purely without any rsync. |
12 |
|
13 |
Yea, I personally don't really care much for rsync either. I've just |
14 |
kind of been assuming this is a requirement of any gentoo solution. |
15 |
But maybe this whole thing should take another dimension, and we |
16 |
should instead talk about sunsetting rsync, and moving to a model of: |
17 |
1) git fetch, 2) git verify, 3) git checkout? There still might be |
18 |
problems with "untrusting" devs, as I wrote above, but perhaps there's |
19 |
room to grow within the git framework, by manually filtering commits |
20 |
during checkout, or even by imposing ebuild directory signature-based |
21 |
ACLs that I think you were hinting at before. So, sure, if you want to |
22 |
call for an abolition of rsync, maybe I'd follow you in that direction |
23 |
instead of the one here I'm proposing. |
24 |
|
25 |
|
26 |
> |
27 |
> Sure, but since any developer can change any file, that is basically |
28 |
> the same thing. If somebody steals a single dev's key they can just |
29 |
> rootkit any file of their choosing, sign that one change, and it will |
30 |
> slip through any of these methods. The only protection against that |
31 |
> is tracking who is allowed to touch what files, and then you're still |
32 |
> hosed if a dev for a widely-used file gets their key stolen. |
33 |
|
34 |
As stated above, yes, this is the intended model. And I think it's |
35 |
considerably better than the current state of affairs. The threats get |
36 |
even less scary as we convince Nitrokey or Yubikey to send all gentoo |
37 |
developers free devices, and then mandate keys remain on those devices |
38 |
and never get copied, etc etc. |