| 1 |
On Friday 11 October 2002 04:53 pm, Christian Skarby wrote: |
| 2 |
|
| 3 |
> Well, if one have such a strategy how can one be absolutely sure people |
| 4 |
> authoriezed to modify packages have pure intentions? At some level one |
| 5 |
> just will have to relay on something / others. It is not possible or at |
| 6 |
> least not effective to reinvent wheels every day. |
| 7 |
|
| 8 |
Short of meeting someone at a GPG key exchange party, there is no way to be |
| 9 |
certain. But there are lots of ways to be "reasonably certain." |
| 10 |
|
| 11 |
> On this mailinglist we've had discussions about pgp-signed ebuilds. Then |
| 12 |
> atleast one can trace security-issues back to spesific signatures and make |
| 13 |
> sure that the source is from whom it claims to be. But secure |
| 14 |
> authentification is not easy to set up and not between people not knowing |
| 15 |
> eachother in person. |
| 16 |
|
| 17 |
I think we (by "we" I mean the free software community in general, although in |
| 18 |
this context, the Gentoo community specifically) are making the mistake of |
| 19 |
looking for perfection (a good thing) and not being willing to impliment a |
| 20 |
GPG signature appraoch at all if we can't achieve it (a bad thing). As I've |
| 21 |
said before, distributing keys or keychains of public keys for a core circle |
| 22 |
of developers that people can be reasonably certain of isn't difficult, while |
| 23 |
absolute, 100% perfect certainty is extraordinarilly difficult (requiring in |
| 24 |
person, face to face meetings, etc.) |
| 25 |
|
| 26 |
Someone suggested selling CDs with optimized binaries as a possible revinue |
| 27 |
stream for the Gentoo project. Such a CD would hold no interest to me ... |
| 28 |
even at work I do stage-1 installs, then compile the rest on each macine |
| 29 |
indivually so that it is completely optimized for that machine, against |
| 30 |
whatever versions of libraries and software happen to be present at that |
| 31 |
time. |
| 32 |
|
| 33 |
However, I WOULD pay for a CD containing a certified keychain of public keys |
| 34 |
for key Gentoo developers, against which I could check GPG signatures of |
| 35 |
ebuilds and source tarballs. That would IMHO be invaluable, especially if |
| 36 |
such were combined with a peer to peer (e.g. FreeNet) alternative to ebuild |
| 37 |
and tarball downloads. |
| 38 |
|
| 39 |
But, in order to achieve 'reasonable certainty' said public keys could be made |
| 40 |
available from multiple, independent public key servers, as well as web sites |
| 41 |
(c.f kernel.org), ftp download sites THAT ARE NOT THE SAME sites one gets |
| 42 |
portage and the source tarballs from, and so on. |
| 43 |
|
| 44 |
Multiple conduits, from which people can download multiple copies of the keys |
| 45 |
or keyrings in question, whcih can then be checked against one another. So |
| 46 |
long as they all agree, all is okay. If one or more disagree, that should |
| 47 |
raise a red flag. |
| 48 |
|
| 49 |
Being able to buy a copy on CD, that is then mailed snailmail, provides an |
| 50 |
additional level of assurance. |
| 51 |
|
| 52 |
Absolute certainty? No. |
| 53 |
Good enough? You bet, and vastly better than what we have now. |
| 54 |
|
| 55 |
my 2 cents, and worth every penny :-) |
| 56 |
|
| 57 |
Jean. |
Archives