| 1 |
On Sun, 30 Oct 2016 15:41:55 -0700 |
| 2 |
Zac Medico <zmedico@g.o> wrote: |
| 3 |
|
| 4 |
> On 10/30/2016 03:32 PM, Michał Górny wrote: |
| 5 |
> > On Sun, 30 Oct 2016 14:58:59 -0700 |
| 6 |
> > Zac Medico <zmedico@g.o> wrote: |
| 7 |
> > |
| 8 |
> >> On 10/30/2016 01:44 PM, Michał Górny wrote: |
| 9 |
> >>> Hi, everyone. |
| 10 |
> >>> |
| 11 |
> >>> Just a quick note: I've prepared a simple tool [1] to verify clones of |
| 12 |
> >>> gentoo-mirror repositories. It's still early WiP but can be easily used |
| 13 |
> >>> to verify a clone: |
| 14 |
> >>> |
| 15 |
> >>> $ ./verify-repo gentoo |
| 16 |
> >>> [/var/db/repos/gentoo] |
| 17 |
> >>> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a |
| 18 |
> >>> (you may need to import/trust developer keys) |
| 19 |
> >>> Note: unsigned changes in metadata and/or caches found (it's fine) |
| 20 |
> >> |
| 21 |
> >> I don't think it's acceptable to use an unsigned metadata/cache commit. |
| 22 |
> >> Can't we use an infrastructure key for this? |
| 23 |
> > |
| 24 |
> > How are you going to guarantee that a third-party didn't access |
| 25 |
> > the remote server and alter the filesystem just before the commit? Not |
| 26 |
> > to mention the pains of keeping the key secure. |
| 27 |
> > |
| 28 |
> > It's better not to sign that to provide false security. |
| 29 |
> |
| 30 |
> There's no absolute guarantee that the developer's key hasn't been |
| 31 |
> compromised either. So we've got varying degrees of trust. An automated |
| 32 |
> infrastructure signature may not have as much trust as a developer |
| 33 |
> signature, but it's still better than nothing, for the same reason that |
| 34 |
> publishing these key fingerprints via https is better than http: |
| 35 |
> |
| 36 |
> https://wiki.gentoo.org/wiki/Project:RelEng#Keys |
| 37 |
|
| 38 |
The HTTPS argument is fairly irrelevant. There is a reason why project |
| 39 |
publish tarball OpenPGP signatures, rather than relying on official |
| 40 |
HTTPS downloads. It's not only about mirrors and subsequent |
| 41 |
verification. |
| 42 |
|
| 43 |
The major difference between a developer key and an automated key is |
| 44 |
that the latter is far easier target. I think we can trust Gentoo |
| 45 |
developers to at least have their keys encrypted. I suppose most of |
| 46 |
them don't 'git log -p' the commits their sign but well, it's still |
| 47 |
harder to target a developer PC than a public server that most likely |
| 48 |
keeps its signature key unencrypted (or with cleartext password). |
| 49 |
|
| 50 |
That said, repo-mirror-ci is running as user processes on a donated |
| 51 |
space on a third-party server. We have no way of ensuring that it is |
| 52 |
secure. Even if it were on Gentoo Infra, things wouldn't be much |
| 53 |
better. |
| 54 |
|
| 55 |
Furthermore, one important point in OpenPGP-signed commits is that |
| 56 |
the top signature signs both the commit itself and its parent, |
| 57 |
implicitly confirming all past commits. So if I am supposed to sign |
| 58 |
the automated commit, I have to verify the signatures on the preceding |
| 59 |
commit first. And where are the working tools to do that? |
| 60 |
|
| 61 |
On the other hand, Gentoo developers already sign their commits without |
| 62 |
verifying if the commits preceding them are trusted. We only have some |
| 63 |
minor server-side verification from Infra, with future possibility of |
| 64 |
verifying signatures client-side. |
| 65 |
|
| 66 |
-- |
| 67 |
Best regards, |
| 68 |
Michał Górny |
| 69 |
<http://dev.gentoo.org/~mgorny/> |
Archives