| 1 |
On 2020-10-10 22:36, Michał Górny wrote: |
| 2 |
> On Sat, 2020-10-10 at 22:10 +0200, Thomas Deutschmann wrote: |
| 3 |
>> Another example for something that was not thought to the end and |
| 4 |
>> which was rushed and pushed to our users. |
| 5 |
> |
| 6 |
> You start this mail with an insult to me. Why do you keep doing |
| 7 |
> this? Do you feel that there is some special need for you to try to |
| 8 |
> diminish me in order to reach your goal? |
| 9 |
|
| 10 |
You seem to be obsessed with the idea that I am your perfect enemy... I |
| 11 |
cannot help you with that. |
| 12 |
|
| 13 |
|
| 14 |
>> The whole idea started with assumption that not every developer |
| 15 |
>> will verify the distfile (an assumption I share). But why should we |
| 16 |
>> trust these developers that they will keep an eye on upstream’s |
| 17 |
>> used certificate instead? That does not make any sense for me. |
| 18 |
> |
| 19 |
> This sounds like 'perfect is the enemy of good'. If we can't get |
| 20 |
> this done perfectly good, we should just lie down and do not put any |
| 21 |
> effort into making things better. |
| 22 |
|
| 23 |
Sort of. |
| 24 |
|
| 25 |
|
| 26 |
>> Another point I just want to mention was patch 5 of 6 for |
| 27 |
>> net-libs/miniupnpc. Did you notice that the ebuild will fetch |
| 28 |
>> public key via HTTP instead of HTTPS? |
| 29 |
> |
| 30 |
> Is this question to me or to the public? Because if it's to me, |
| 31 |
> then yes, I've noticed I couldn't use HTTPS there. I'm sorry, I'm |
| 32 |
> not as incompetent as you'd repeatedly trying to prove, you won't win |
| 33 |
> your argument this way. |
| 34 |
|
| 35 |
See the first paragraph. I really don't understand why you believe I |
| 36 |
want to show world how incompetent anyone is. I am very sure that people |
| 37 |
active in Gentoo know very well that you are *not* incompetent. |
| 38 |
|
| 39 |
I am just showing a design flaw without any judgement. This is a |
| 40 |
technical mailing list. It should be possible to focus on technical |
| 41 |
aspects. One way to respond to that would maybe a discussion how we can |
| 42 |
do that better (see robbat2 mail for example). |
| 43 |
|
| 44 |
I am fully aware that this is still a draft, which is also part of my |
| 45 |
problem but I will address that later. |
| 46 |
|
| 47 |
|
| 48 |
>> This will create a chicken-egg problem here: We will record key |
| 49 |
>> information metadata the same way we store information about |
| 50 |
>> distfiles which is temper proofed. But because this is happening in |
| 51 |
>> an automatic way there is not just a theoretical chance that we |
| 52 |
>> will store an attacker’s key in our metadata because who is going |
| 53 |
>> to verify they key? The same developer we distrust (or where we |
| 54 |
>> just want to avoid to trust) that he/she verified the distfile? |
| 55 |
> |
| 56 |
> What's the alternative? Ignoring upstream signatures entirely unless |
| 57 |
> we can securely fetch the key? Shoving the problem under the carpet |
| 58 |
> and assuming that the developer will have safely set up the key on |
| 59 |
> his devbox while being totally incompetent at putting it in an |
| 60 |
> ebuild? |
| 61 |
|
| 62 |
My point here is: |
| 63 |
|
| 64 |
You had the idea to improve something. Which is good. Improvement is |
| 65 |
always appreciated. |
| 66 |
|
| 67 |
But it must be an improvement. I expect that during the process, "Hey, I |
| 68 |
think we can do X better... what do you think about doing it that way... |
| 69 |
which will address problem Z..." we are all open minded. That means that |
| 70 |
if we come to the conclusion that something isn't really an improvement |
| 71 |
or so minor that the complexity and everything belongs to that isn't |
| 72 |
worth it, that we all realize, "OK, didn't work as expected. Withdraw |
| 73 |
the idea (maybe just until we find a better way) and move on". |
| 74 |
|
| 75 |
|
| 76 |
> Theories are all nice but do you have any proof of that? Preferably |
| 77 |
> one that involves developers who *actually carefully* checked |
| 78 |
> distfiles. Because my theory says developers don't have infinite time |
| 79 |
> to audit everything. |
| 80 |
|
| 81 |
I don't think I need a proof for that. I am just picking up your initial |
| 82 |
argument for this new eclass saying "I don't want to need to trust |
| 83 |
developer that distfile was checked carefully, if we would add |
| 84 |
automatism we wouldn't need to trust..." (something I share). |
| 85 |
|
| 86 |
I hoped I would have shown everyone that in the end we are only *moving* |
| 87 |
that trust we don't want to give developers that they carefully checked |
| 88 |
distfiles to keys. In other words: We haven't changed anything -- we |
| 89 |
gained nothing. We still have to trust developers that they carefully |
| 90 |
check something, now just keys instead of distfiles. The previous |
| 91 |
'problem' this eclass wanted to improve (solve?) is still there. |
| 92 |
|
| 93 |
...and from my POV we got an additional problem because we now have a |
| 94 |
system which will tell user, "No... distfile looks good, signature is |
| 95 |
fine" which weighs the user in a false sense of security (even Google |
| 96 |
had to learn that when they replaced padlock with "Secure" in browsers |
| 97 |
-- suddenly users stopped using their own brain because they trusted |
| 98 |
system too much which was telling them that the site which looks like |
| 99 |
their bank but wasn't their bank's site was secure). |
| 100 |
|
| 101 |
Not to mention when this system will force users to connect to arbitrary |
| 102 |
key servers... |
| 103 |
|
| 104 |
|
| 105 |
> Are you arguing that we should remove commit signatures as well? Or |
| 106 |
> does it happen that with roughly the same technology and the same |
| 107 |
> people, one layer is secure and another similar layer is totally |
| 108 |
> bonkers? |
| 109 |
|
| 110 |
No. First you need to understand Gentoo's threat model. Once you |
| 111 |
understand why we are using signatures you need to understand the |
| 112 |
boundaries (limits) of signatures. The way how we are using signatures |
| 113 |
is for example different because we are operating our own key |
| 114 |
infrastructure and revocation process, we aren't affected by the |
| 115 |
previous outlined issues. |
| 116 |
|
| 117 |
|
| 118 |
>> The purpose of this email is to get this addition removed ASAP. |
| 119 |
> |
| 120 |
> Why do you claim to have the power to removed somebody's work just |
| 121 |
> because it doesn't fit your view of the world? |
| 122 |
|
| 123 |
I am gonna merge this with my answer to first paragraph. |
| 124 |
|
| 125 |
First of all, calm down. You are reading too much into this. Just revert |
| 126 |
your own logic: You obviously like your idea, worked on this and pushed |
| 127 |
it to repository. Don't you see that anyone could ask the same? Who are |
| 128 |
you? Why do believe that you can force something like that down to |
| 129 |
everyone's system? That feature got enabled in developers profiles by |
| 130 |
default, it will blow up distfiles with useless data (a view you can |
| 131 |
have when you share my concerns and don't see any problems with current |
| 132 |
Manifest system; For example we banned stuff in $FILESDIR before and |
| 133 |
asked developers to move them to d.g.o when >25kb in total arguing that |
| 134 |
large distfile is affecting *any* user... I am not comparing this 1:1 |
| 135 |
but to repeat your question: Who are you that you can decide to force |
| 136 |
something similar down to everyone). |
| 137 |
|
| 138 |
Of course I don't have any power to remove somebody's work (and I am |
| 139 |
still wondering why you assume I have), but you obviously had the power |
| 140 |
to just push your 'idea' which is still a draft to everyone and also |
| 141 |
forces everyone to participate in your beta testing... |
| 142 |
|
| 143 |
I hope to get a majority decision on that topic with the result to kill |
| 144 |
it unless it will add any significant improvement we all want. |
| 145 |
|
| 146 |
From my point of view the current implementation is only creating |
| 147 |
security problems due to giving anyone a false sense of security and |
| 148 |
ultimately resources are wasted by everyone because there is no benefit. |
| 149 |
|
| 150 |
Sure, if I am the only having that opinion and most people see a value |
| 151 |
in this and disagree with me... |
| 152 |
|
| 153 |
|
| 154 |
-- |
| 155 |
Regards, |
| 156 |
Thomas Deutschmann / Gentoo Linux Developer |
| 157 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives