1 |
On Thursday 24 April 2003 3:10 pm, Joshua Brindle wrote: |
2 |
|
3 |
> >Will there be provision for controlling which developers are authorised to |
4 |
> >sign each package, or will portage allow any developer to sign any package |
5 |
> >manifest? |
6 |
> |
7 |
> there is no easy way since the only way cvs knows to allow/disallow commits |
8 |
> is by permissions, we use permissions but they aren't fine grained, ie: |
9 |
> everyone who has access to commit any package can commit to all of them. |
10 |
> This is a lot better anyway since we have to be able to add new packages, |
11 |
> do quick bumps on packages we don't necessarilly maintain, etc. Obviously |
12 |
> if a dev is abusing we'll have records of what was commited and where and |
13 |
> be able to take care of that. |
14 |
|
15 |
Consider this fictional scenario: A colleague is appointed a new gentoo |
16 |
developer because of his interest in maintaining app-games/abcabcabcabc. I am |
17 |
not interested in this package, and never intend to install it on our server |
18 |
cluster. |
19 |
|
20 |
Do I have to worry about him planting trojan sys-libs/glibc ebuilds in our |
21 |
local portage mirror? |
22 |
|
23 |
|
24 |
Another way of looking at it........ |
25 |
|
26 |
If I understand correctly, your proposal is using signatures from an inner |
27 |
keyring for two different purposes: |
28 |
1. To confirm identity. This is the conventional meaning of a key signature, |
29 |
as should be understood by everyone that signs someone elses key. |
30 |
2. To confirm status. That is, to confirm that the owner of the key is an |
31 |
official gentoo developer. |
32 |
|
33 |
Would it be better to use key signatures from the inner keyring only for the |
34 |
first of those two purposes. Some file in portage, appropriately signed, |
35 |
would list all official developers and the packages that they are authorised |
36 |
to maintain. Senior gentoo developers will be authorised for everything. |
37 |
|
38 |
-- |
39 |
Toby Dickenson |
40 |
http://www.geminidataloggers.com/people/tdickenson |
41 |
|
42 |
|
43 |
-- |
44 |
gentoo-hardened@g.o mailing list |