1 |
On Sun, 30 Oct 2016 15:41:55 -0700 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> On 10/30/2016 03:32 PM, Michał Górny wrote: |
5 |
> > On Sun, 30 Oct 2016 14:58:59 -0700 |
6 |
> > Zac Medico <zmedico@g.o> wrote: |
7 |
> > |
8 |
> >> On 10/30/2016 01:44 PM, Michał Górny wrote: |
9 |
> >>> Hi, everyone. |
10 |
> >>> |
11 |
> >>> Just a quick note: I've prepared a simple tool [1] to verify clones of |
12 |
> >>> gentoo-mirror repositories. It's still early WiP but can be easily used |
13 |
> >>> to verify a clone: |
14 |
> >>> |
15 |
> >>> $ ./verify-repo gentoo |
16 |
> >>> [/var/db/repos/gentoo] |
17 |
> >>> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a |
18 |
> >>> (you may need to import/trust developer keys) |
19 |
> >>> Note: unsigned changes in metadata and/or caches found (it's fine) |
20 |
> >> |
21 |
> >> I don't think it's acceptable to use an unsigned metadata/cache commit. |
22 |
> >> Can't we use an infrastructure key for this? |
23 |
> > |
24 |
> > How are you going to guarantee that a third-party didn't access |
25 |
> > the remote server and alter the filesystem just before the commit? Not |
26 |
> > to mention the pains of keeping the key secure. |
27 |
> > |
28 |
> > It's better not to sign that to provide false security. |
29 |
> |
30 |
> There's no absolute guarantee that the developer's key hasn't been |
31 |
> compromised either. So we've got varying degrees of trust. An automated |
32 |
> infrastructure signature may not have as much trust as a developer |
33 |
> signature, but it's still better than nothing, for the same reason that |
34 |
> publishing these key fingerprints via https is better than http: |
35 |
> |
36 |
> https://wiki.gentoo.org/wiki/Project:RelEng#Keys |
37 |
|
38 |
The HTTPS argument is fairly irrelevant. There is a reason why project |
39 |
publish tarball OpenPGP signatures, rather than relying on official |
40 |
HTTPS downloads. It's not only about mirrors and subsequent |
41 |
verification. |
42 |
|
43 |
The major difference between a developer key and an automated key is |
44 |
that the latter is far easier target. I think we can trust Gentoo |
45 |
developers to at least have their keys encrypted. I suppose most of |
46 |
them don't 'git log -p' the commits their sign but well, it's still |
47 |
harder to target a developer PC than a public server that most likely |
48 |
keeps its signature key unencrypted (or with cleartext password). |
49 |
|
50 |
That said, repo-mirror-ci is running as user processes on a donated |
51 |
space on a third-party server. We have no way of ensuring that it is |
52 |
secure. Even if it were on Gentoo Infra, things wouldn't be much |
53 |
better. |
54 |
|
55 |
Furthermore, one important point in OpenPGP-signed commits is that |
56 |
the top signature signs both the commit itself and its parent, |
57 |
implicitly confirming all past commits. So if I am supposed to sign |
58 |
the automated commit, I have to verify the signatures on the preceding |
59 |
commit first. And where are the working tools to do that? |
60 |
|
61 |
On the other hand, Gentoo developers already sign their commits without |
62 |
verifying if the commits preceding them are trusted. We only have some |
63 |
minor server-side verification from Infra, with future possibility of |
64 |
verifying signatures client-side. |
65 |
|
66 |
-- |
67 |
Best regards, |
68 |
Michał Górny |
69 |
<http://dev.gentoo.org/~mgorny/> |