| 1 |
On Thursday 24 April 2003 4:34 pm, Joshua Brindle wrote: |
| 2 |
> >On Thursday 24 April 2003 3:10 pm, Joshua Brindle wrote: |
| 3 |
|
| 4 |
> >Consider this fictional scenario: A colleague is appointed a new gentoo |
| 5 |
> >developer because of his interest in maintaining app-games/abcabcabcabc. I |
| 6 |
> > am not interested in this package, and never intend to install it on our |
| 7 |
> > server cluster. |
| 8 |
> > |
| 9 |
> >Do I have to worry about him planting trojan sys-libs/glibc ebuilds in our |
| 10 |
> >local portage mirror? |
| 11 |
> |
| 12 |
> Well, there isn't anything we can do on the client side. Users will always |
| 13 |
> have the able to modify ebuilds/packages on their own machines |
| 14 |
> or we'd have a lot of angry users. The one thing that would solve the |
| 15 |
> problem is to 1) make sure you don't have any PORTDIR_OVERLAY's since |
| 16 |
> those probably won't be verified by keys anyway (we may have a setting |
| 17 |
> for this) and 2) emerge sync before you do _anything_, this means even |
| 18 |
> emerge -s or emerge -p. |
| 19 |
> |
| 20 |
> Since an emerge sync would overwrite any changes in the local repository |
| 21 |
> all your coworkers hard work got erased... |
| 22 |
> Also: on my machine /usr/portage is writable only by root.. if the coworker |
| 23 |
> has the access to write to the local tree then uhh, i don't guess it |
| 24 |
> matters since he could just backdoor your system without using portage.. |
| 25 |
|
| 26 |
Our "local portage mirror" is a seperate machine which runs an rsync daemon |
| 27 |
for our internal machines. It is an intermediary between the internal |
| 28 |
machines and the public rsync mirrors. |
| 29 |
|
| 30 |
Yes, suppose that mirror machine is rooted. I would like for portage on the |
| 31 |
non-rooted internal machines to be able to detect tampering on the |
| 32 |
intermediary. |
| 33 |
|
| 34 |
(I can understand if its not possible, but that doesnt stop me wanting it ;-) |
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
> >Another way of looking at it........ |
| 39 |
> > |
| 40 |
> >If I understand correctly, your proposal is using signatures from an inner |
| 41 |
> >keyring for two different purposes: |
| 42 |
> >1. To confirm identity. This is the conventional meaning of a key |
| 43 |
> > signature, as should be understood by everyone that signs someone elses |
| 44 |
> > key. 2. To confirm status. That is, to confirm that the owner of the key |
| 45 |
> > is an official gentoo developer. |
| 46 |
> > |
| 47 |
> >Would it be better to use key signatures from the inner keyring only for |
| 48 |
> > the first of those two purposes. Some file in portage, appropriately |
| 49 |
> > signed, would list all official developers and the packages that they are |
| 50 |
> > authorised to maintain. Senior gentoo developers will be authorised for |
| 51 |
> > everything. |
| 52 |
> |
| 53 |
> It would be impossible to keep the file accurate and up to date. Far too |
| 54 |
> many devs are involved in lots of things, also we'd have to wait on the |
| 55 |
> permissions key signer to even add new packages which would slow |
| 56 |
> developmental efforts down dramatically. |
| 57 |
|
| 58 |
Hmmm. maybe the ~arch testing flag could be used to pipeline these tasks. I |
| 59 |
take your point made in your original post that developer convenience is |
| 60 |
important too. |
| 61 |
|
| 62 |
> I have personally edited a lot of the core packages, gcc, glibc, xfree, |
| 63 |
> etc. It would have been a huge hassle if I had to go seek permission and |
| 64 |
> justify it and wait for a decision, etc. |
| 65 |
|
| 66 |
Yes, of course allowing this capability to all junior developers has a |
| 67 |
security implication. One compromised gpg key of *any* developer can |
| 68 |
compromise any package, so security is reduced by appointing many junior |
| 69 |
developers. |
| 70 |
|
| 71 |
(Which isnt necessarily a problem, but its nice to know where the boundaries |
| 72 |
lie.) |
| 73 |
|
| 74 |
Thanks for taking the time to discuss this. |
| 75 |
|
| 76 |
-- |
| 77 |
Toby Dickenson |
| 78 |
http://www.geminidataloggers.com/people/tdickenson |
| 79 |
|
| 80 |
-- |
| 81 |
gentoo-hardened@g.o mailing list |
Archives