1 |
On Thursday 24 April 2003 4:34 pm, Joshua Brindle wrote: |
2 |
> >On Thursday 24 April 2003 3:10 pm, Joshua Brindle wrote: |
3 |
|
4 |
> >Consider this fictional scenario: A colleague is appointed a new gentoo |
5 |
> >developer because of his interest in maintaining app-games/abcabcabcabc. I |
6 |
> > am not interested in this package, and never intend to install it on our |
7 |
> > server cluster. |
8 |
> > |
9 |
> >Do I have to worry about him planting trojan sys-libs/glibc ebuilds in our |
10 |
> >local portage mirror? |
11 |
> |
12 |
> Well, there isn't anything we can do on the client side. Users will always |
13 |
> have the able to modify ebuilds/packages on their own machines |
14 |
> or we'd have a lot of angry users. The one thing that would solve the |
15 |
> problem is to 1) make sure you don't have any PORTDIR_OVERLAY's since |
16 |
> those probably won't be verified by keys anyway (we may have a setting |
17 |
> for this) and 2) emerge sync before you do _anything_, this means even |
18 |
> emerge -s or emerge -p. |
19 |
> |
20 |
> Since an emerge sync would overwrite any changes in the local repository |
21 |
> all your coworkers hard work got erased... |
22 |
> Also: on my machine /usr/portage is writable only by root.. if the coworker |
23 |
> has the access to write to the local tree then uhh, i don't guess it |
24 |
> matters since he could just backdoor your system without using portage.. |
25 |
|
26 |
Our "local portage mirror" is a seperate machine which runs an rsync daemon |
27 |
for our internal machines. It is an intermediary between the internal |
28 |
machines and the public rsync mirrors. |
29 |
|
30 |
Yes, suppose that mirror machine is rooted. I would like for portage on the |
31 |
non-rooted internal machines to be able to detect tampering on the |
32 |
intermediary. |
33 |
|
34 |
(I can understand if its not possible, but that doesnt stop me wanting it ;-) |
35 |
|
36 |
|
37 |
|
38 |
> >Another way of looking at it........ |
39 |
> > |
40 |
> >If I understand correctly, your proposal is using signatures from an inner |
41 |
> >keyring for two different purposes: |
42 |
> >1. To confirm identity. This is the conventional meaning of a key |
43 |
> > signature, as should be understood by everyone that signs someone elses |
44 |
> > key. 2. To confirm status. That is, to confirm that the owner of the key |
45 |
> > is an official gentoo developer. |
46 |
> > |
47 |
> >Would it be better to use key signatures from the inner keyring only for |
48 |
> > the first of those two purposes. Some file in portage, appropriately |
49 |
> > signed, would list all official developers and the packages that they are |
50 |
> > authorised to maintain. Senior gentoo developers will be authorised for |
51 |
> > everything. |
52 |
> |
53 |
> It would be impossible to keep the file accurate and up to date. Far too |
54 |
> many devs are involved in lots of things, also we'd have to wait on the |
55 |
> permissions key signer to even add new packages which would slow |
56 |
> developmental efforts down dramatically. |
57 |
|
58 |
Hmmm. maybe the ~arch testing flag could be used to pipeline these tasks. I |
59 |
take your point made in your original post that developer convenience is |
60 |
important too. |
61 |
|
62 |
> I have personally edited a lot of the core packages, gcc, glibc, xfree, |
63 |
> etc. It would have been a huge hassle if I had to go seek permission and |
64 |
> justify it and wait for a decision, etc. |
65 |
|
66 |
Yes, of course allowing this capability to all junior developers has a |
67 |
security implication. One compromised gpg key of *any* developer can |
68 |
compromise any package, so security is reduced by appointing many junior |
69 |
developers. |
70 |
|
71 |
(Which isnt necessarily a problem, but its nice to know where the boundaries |
72 |
lie.) |
73 |
|
74 |
Thanks for taking the time to discuss this. |
75 |
|
76 |
-- |
77 |
Toby Dickenson |
78 |
http://www.geminidataloggers.com/people/tdickenson |
79 |
|
80 |
-- |
81 |
gentoo-hardened@g.o mailing list |