1 |
On 2020-10-10 22:36, Michał Górny wrote: |
2 |
> On Sat, 2020-10-10 at 22:10 +0200, Thomas Deutschmann wrote: |
3 |
>> Another example for something that was not thought to the end and |
4 |
>> which was rushed and pushed to our users. |
5 |
> |
6 |
> You start this mail with an insult to me. Why do you keep doing |
7 |
> this? Do you feel that there is some special need for you to try to |
8 |
> diminish me in order to reach your goal? |
9 |
|
10 |
You seem to be obsessed with the idea that I am your perfect enemy... I |
11 |
cannot help you with that. |
12 |
|
13 |
|
14 |
>> The whole idea started with assumption that not every developer |
15 |
>> will verify the distfile (an assumption I share). But why should we |
16 |
>> trust these developers that they will keep an eye on upstream’s |
17 |
>> used certificate instead? That does not make any sense for me. |
18 |
> |
19 |
> This sounds like 'perfect is the enemy of good'. If we can't get |
20 |
> this done perfectly good, we should just lie down and do not put any |
21 |
> effort into making things better. |
22 |
|
23 |
Sort of. |
24 |
|
25 |
|
26 |
>> Another point I just want to mention was patch 5 of 6 for |
27 |
>> net-libs/miniupnpc. Did you notice that the ebuild will fetch |
28 |
>> public key via HTTP instead of HTTPS? |
29 |
> |
30 |
> Is this question to me or to the public? Because if it's to me, |
31 |
> then yes, I've noticed I couldn't use HTTPS there. I'm sorry, I'm |
32 |
> not as incompetent as you'd repeatedly trying to prove, you won't win |
33 |
> your argument this way. |
34 |
|
35 |
See the first paragraph. I really don't understand why you believe I |
36 |
want to show world how incompetent anyone is. I am very sure that people |
37 |
active in Gentoo know very well that you are *not* incompetent. |
38 |
|
39 |
I am just showing a design flaw without any judgement. This is a |
40 |
technical mailing list. It should be possible to focus on technical |
41 |
aspects. One way to respond to that would maybe a discussion how we can |
42 |
do that better (see robbat2 mail for example). |
43 |
|
44 |
I am fully aware that this is still a draft, which is also part of my |
45 |
problem but I will address that later. |
46 |
|
47 |
|
48 |
>> This will create a chicken-egg problem here: We will record key |
49 |
>> information metadata the same way we store information about |
50 |
>> distfiles which is temper proofed. But because this is happening in |
51 |
>> an automatic way there is not just a theoretical chance that we |
52 |
>> will store an attacker’s key in our metadata because who is going |
53 |
>> to verify they key? The same developer we distrust (or where we |
54 |
>> just want to avoid to trust) that he/she verified the distfile? |
55 |
> |
56 |
> What's the alternative? Ignoring upstream signatures entirely unless |
57 |
> we can securely fetch the key? Shoving the problem under the carpet |
58 |
> and assuming that the developer will have safely set up the key on |
59 |
> his devbox while being totally incompetent at putting it in an |
60 |
> ebuild? |
61 |
|
62 |
My point here is: |
63 |
|
64 |
You had the idea to improve something. Which is good. Improvement is |
65 |
always appreciated. |
66 |
|
67 |
But it must be an improvement. I expect that during the process, "Hey, I |
68 |
think we can do X better... what do you think about doing it that way... |
69 |
which will address problem Z..." we are all open minded. That means that |
70 |
if we come to the conclusion that something isn't really an improvement |
71 |
or so minor that the complexity and everything belongs to that isn't |
72 |
worth it, that we all realize, "OK, didn't work as expected. Withdraw |
73 |
the idea (maybe just until we find a better way) and move on". |
74 |
|
75 |
|
76 |
> Theories are all nice but do you have any proof of that? Preferably |
77 |
> one that involves developers who *actually carefully* checked |
78 |
> distfiles. Because my theory says developers don't have infinite time |
79 |
> to audit everything. |
80 |
|
81 |
I don't think I need a proof for that. I am just picking up your initial |
82 |
argument for this new eclass saying "I don't want to need to trust |
83 |
developer that distfile was checked carefully, if we would add |
84 |
automatism we wouldn't need to trust..." (something I share). |
85 |
|
86 |
I hoped I would have shown everyone that in the end we are only *moving* |
87 |
that trust we don't want to give developers that they carefully checked |
88 |
distfiles to keys. In other words: We haven't changed anything -- we |
89 |
gained nothing. We still have to trust developers that they carefully |
90 |
check something, now just keys instead of distfiles. The previous |
91 |
'problem' this eclass wanted to improve (solve?) is still there. |
92 |
|
93 |
...and from my POV we got an additional problem because we now have a |
94 |
system which will tell user, "No... distfile looks good, signature is |
95 |
fine" which weighs the user in a false sense of security (even Google |
96 |
had to learn that when they replaced padlock with "Secure" in browsers |
97 |
-- suddenly users stopped using their own brain because they trusted |
98 |
system too much which was telling them that the site which looks like |
99 |
their bank but wasn't their bank's site was secure). |
100 |
|
101 |
Not to mention when this system will force users to connect to arbitrary |
102 |
key servers... |
103 |
|
104 |
|
105 |
> Are you arguing that we should remove commit signatures as well? Or |
106 |
> does it happen that with roughly the same technology and the same |
107 |
> people, one layer is secure and another similar layer is totally |
108 |
> bonkers? |
109 |
|
110 |
No. First you need to understand Gentoo's threat model. Once you |
111 |
understand why we are using signatures you need to understand the |
112 |
boundaries (limits) of signatures. The way how we are using signatures |
113 |
is for example different because we are operating our own key |
114 |
infrastructure and revocation process, we aren't affected by the |
115 |
previous outlined issues. |
116 |
|
117 |
|
118 |
>> The purpose of this email is to get this addition removed ASAP. |
119 |
> |
120 |
> Why do you claim to have the power to removed somebody's work just |
121 |
> because it doesn't fit your view of the world? |
122 |
|
123 |
I am gonna merge this with my answer to first paragraph. |
124 |
|
125 |
First of all, calm down. You are reading too much into this. Just revert |
126 |
your own logic: You obviously like your idea, worked on this and pushed |
127 |
it to repository. Don't you see that anyone could ask the same? Who are |
128 |
you? Why do believe that you can force something like that down to |
129 |
everyone's system? That feature got enabled in developers profiles by |
130 |
default, it will blow up distfiles with useless data (a view you can |
131 |
have when you share my concerns and don't see any problems with current |
132 |
Manifest system; For example we banned stuff in $FILESDIR before and |
133 |
asked developers to move them to d.g.o when >25kb in total arguing that |
134 |
large distfile is affecting *any* user... I am not comparing this 1:1 |
135 |
but to repeat your question: Who are you that you can decide to force |
136 |
something similar down to everyone). |
137 |
|
138 |
Of course I don't have any power to remove somebody's work (and I am |
139 |
still wondering why you assume I have), but you obviously had the power |
140 |
to just push your 'idea' which is still a draft to everyone and also |
141 |
forces everyone to participate in your beta testing... |
142 |
|
143 |
I hope to get a majority decision on that topic with the result to kill |
144 |
it unless it will add any significant improvement we all want. |
145 |
|
146 |
From my point of view the current implementation is only creating |
147 |
security problems due to giving anyone a false sense of security and |
148 |
ultimately resources are wasted by everyone because there is no benefit. |
149 |
|
150 |
Sure, if I am the only having that opinion and most people see a value |
151 |
in this and disagree with me... |
152 |
|
153 |
|
154 |
-- |
155 |
Regards, |
156 |
Thomas Deutschmann / Gentoo Linux Developer |
157 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |