1 |
On Thu, 03 Apr 2008 14:29:10 +0200 |
2 |
Patrick Lauer <bugs@××××××××××××××××××××××.org> wrote: |
3 |
> > Nope. In fact, using such a system, there are ways of getting in |
4 |
> > code that doesn't get triggered until someone's key gets |
5 |
> > invalidated. |
6 |
> By this reasoning you shouldn't use passwords ... |
7 |
> |
8 |
> The idea is to limit the attack vectors and make simple attacks much |
9 |
> harder. A sophisticated "hacker" could just rent a busload of angry |
10 |
> serbians, kidnap 12 developers and force them to do some subtle |
11 |
> changes in many places. But is that likely to happen? |
12 |
|
13 |
No no. The point is, there's no effective technological way of |
14 |
preventing malicious developers from using the tree to screw over end |
15 |
users. Signing isn't designed to and can't prevent that class of |
16 |
attack (and nor can it protect against compromised end user systems). |
17 |
What it *can* do is reduce the amount of damage done by a compromised |
18 |
rsync server. |
19 |
|
20 |
> > And if you are worrying about malicious developers, you need to |
21 |
> > worry about malicious infra people too. An infra member throwing |
22 |
> > his toys out of the pram can do much more lasting damage than |
23 |
> > someone who can get some global scope nastiness into an ebuild for |
24 |
> > an hour or two... |
25 |
> |
26 |
> That has nothing to do with the discussion ... and I don't see how |
27 |
> infra could manipulate the signatures in a useful way apart from |
28 |
> adding keys or removing some from the official keyring ... |
29 |
> This they could do at the moment by manipulating the cvs to rsync |
30 |
> copy process, but I'm not aware of something like that happening. So |
31 |
> you might want to have a marginal trust in people and not accuse them |
32 |
> of things they might do in the future ... |
33 |
|
34 |
That's exactly the thing under discussion -- the design of the system |
35 |
necessitates trust in both the main repository and the end user system, |
36 |
and signing does absolutely nothing to help there. No-one is suggesting |
37 |
that anyone from infra is going to do anything to utterly screw over |
38 |
Gentoo for petty personal reasons. |
39 |
|
40 |
-- |
41 |
Ciaran McCreesh |