1 |
On Friday 11 October 2002 04:53 pm, Christian Skarby wrote: |
2 |
|
3 |
> Well, if one have such a strategy how can one be absolutely sure people |
4 |
> authoriezed to modify packages have pure intentions? At some level one |
5 |
> just will have to relay on something / others. It is not possible or at |
6 |
> least not effective to reinvent wheels every day. |
7 |
|
8 |
Short of meeting someone at a GPG key exchange party, there is no way to be |
9 |
certain. But there are lots of ways to be "reasonably certain." |
10 |
|
11 |
> On this mailinglist we've had discussions about pgp-signed ebuilds. Then |
12 |
> atleast one can trace security-issues back to spesific signatures and make |
13 |
> sure that the source is from whom it claims to be. But secure |
14 |
> authentification is not easy to set up and not between people not knowing |
15 |
> eachother in person. |
16 |
|
17 |
I think we (by "we" I mean the free software community in general, although in |
18 |
this context, the Gentoo community specifically) are making the mistake of |
19 |
looking for perfection (a good thing) and not being willing to impliment a |
20 |
GPG signature appraoch at all if we can't achieve it (a bad thing). As I've |
21 |
said before, distributing keys or keychains of public keys for a core circle |
22 |
of developers that people can be reasonably certain of isn't difficult, while |
23 |
absolute, 100% perfect certainty is extraordinarilly difficult (requiring in |
24 |
person, face to face meetings, etc.) |
25 |
|
26 |
Someone suggested selling CDs with optimized binaries as a possible revinue |
27 |
stream for the Gentoo project. Such a CD would hold no interest to me ... |
28 |
even at work I do stage-1 installs, then compile the rest on each macine |
29 |
indivually so that it is completely optimized for that machine, against |
30 |
whatever versions of libraries and software happen to be present at that |
31 |
time. |
32 |
|
33 |
However, I WOULD pay for a CD containing a certified keychain of public keys |
34 |
for key Gentoo developers, against which I could check GPG signatures of |
35 |
ebuilds and source tarballs. That would IMHO be invaluable, especially if |
36 |
such were combined with a peer to peer (e.g. FreeNet) alternative to ebuild |
37 |
and tarball downloads. |
38 |
|
39 |
But, in order to achieve 'reasonable certainty' said public keys could be made |
40 |
available from multiple, independent public key servers, as well as web sites |
41 |
(c.f kernel.org), ftp download sites THAT ARE NOT THE SAME sites one gets |
42 |
portage and the source tarballs from, and so on. |
43 |
|
44 |
Multiple conduits, from which people can download multiple copies of the keys |
45 |
or keyrings in question, whcih can then be checked against one another. So |
46 |
long as they all agree, all is okay. If one or more disagree, that should |
47 |
raise a red flag. |
48 |
|
49 |
Being able to buy a copy on CD, that is then mailed snailmail, provides an |
50 |
additional level of assurance. |
51 |
|
52 |
Absolute certainty? No. |
53 |
Good enough? You bet, and vastly better than what we have now. |
54 |
|
55 |
my 2 cents, and worth every penny :-) |
56 |
|
57 |
Jean. |