| 1 |
On Thursday 24 April 2003 3:10 pm, Joshua Brindle wrote: |
| 2 |
|
| 3 |
> >Will there be provision for controlling which developers are authorised to |
| 4 |
> >sign each package, or will portage allow any developer to sign any package |
| 5 |
> >manifest? |
| 6 |
> |
| 7 |
> there is no easy way since the only way cvs knows to allow/disallow commits |
| 8 |
> is by permissions, we use permissions but they aren't fine grained, ie: |
| 9 |
> everyone who has access to commit any package can commit to all of them. |
| 10 |
> This is a lot better anyway since we have to be able to add new packages, |
| 11 |
> do quick bumps on packages we don't necessarilly maintain, etc. Obviously |
| 12 |
> if a dev is abusing we'll have records of what was commited and where and |
| 13 |
> be able to take care of that. |
| 14 |
|
| 15 |
Consider this fictional scenario: A colleague is appointed a new gentoo |
| 16 |
developer because of his interest in maintaining app-games/abcabcabcabc. I am |
| 17 |
not interested in this package, and never intend to install it on our server |
| 18 |
cluster. |
| 19 |
|
| 20 |
Do I have to worry about him planting trojan sys-libs/glibc ebuilds in our |
| 21 |
local portage mirror? |
| 22 |
|
| 23 |
|
| 24 |
Another way of looking at it........ |
| 25 |
|
| 26 |
If I understand correctly, your proposal is using signatures from an inner |
| 27 |
keyring for two different purposes: |
| 28 |
1. To confirm identity. This is the conventional meaning of a key signature, |
| 29 |
as should be understood by everyone that signs someone elses key. |
| 30 |
2. To confirm status. That is, to confirm that the owner of the key is an |
| 31 |
official gentoo developer. |
| 32 |
|
| 33 |
Would it be better to use key signatures from the inner keyring only for the |
| 34 |
first of those two purposes. Some file in portage, appropriately signed, |
| 35 |
would list all official developers and the packages that they are authorised |
| 36 |
to maintain. Senior gentoo developers will be authorised for everything. |
| 37 |
|
| 38 |
-- |
| 39 |
Toby Dickenson |
| 40 |
http://www.geminidataloggers.com/people/tdickenson |
| 41 |
|
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-hardened@g.o mailing list |
Archives