| 1 |
On Thu, 03 Apr 2008 14:29:10 +0200 |
| 2 |
Patrick Lauer <bugs@××××××××××××××××××××××.org> wrote: |
| 3 |
> > Nope. In fact, using such a system, there are ways of getting in |
| 4 |
> > code that doesn't get triggered until someone's key gets |
| 5 |
> > invalidated. |
| 6 |
> By this reasoning you shouldn't use passwords ... |
| 7 |
> |
| 8 |
> The idea is to limit the attack vectors and make simple attacks much |
| 9 |
> harder. A sophisticated "hacker" could just rent a busload of angry |
| 10 |
> serbians, kidnap 12 developers and force them to do some subtle |
| 11 |
> changes in many places. But is that likely to happen? |
| 12 |
|
| 13 |
No no. The point is, there's no effective technological way of |
| 14 |
preventing malicious developers from using the tree to screw over end |
| 15 |
users. Signing isn't designed to and can't prevent that class of |
| 16 |
attack (and nor can it protect against compromised end user systems). |
| 17 |
What it *can* do is reduce the amount of damage done by a compromised |
| 18 |
rsync server. |
| 19 |
|
| 20 |
> > And if you are worrying about malicious developers, you need to |
| 21 |
> > worry about malicious infra people too. An infra member throwing |
| 22 |
> > his toys out of the pram can do much more lasting damage than |
| 23 |
> > someone who can get some global scope nastiness into an ebuild for |
| 24 |
> > an hour or two... |
| 25 |
> |
| 26 |
> That has nothing to do with the discussion ... and I don't see how |
| 27 |
> infra could manipulate the signatures in a useful way apart from |
| 28 |
> adding keys or removing some from the official keyring ... |
| 29 |
> This they could do at the moment by manipulating the cvs to rsync |
| 30 |
> copy process, but I'm not aware of something like that happening. So |
| 31 |
> you might want to have a marginal trust in people and not accuse them |
| 32 |
> of things they might do in the future ... |
| 33 |
|
| 34 |
That's exactly the thing under discussion -- the design of the system |
| 35 |
necessitates trust in both the main repository and the end user system, |
| 36 |
and signing does absolutely nothing to help there. No-one is suggesting |
| 37 |
that anyone from infra is going to do anything to utterly screw over |
| 38 |
Gentoo for petty personal reasons. |
| 39 |
|
| 40 |
-- |
| 41 |
Ciaran McCreesh |
Archives