1 |
On Sat, 07 Mar 2015 15:26:26 -0800 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
5 |
> > We're on the same side here. |
6 |
> > |
7 |
> > Do we have numbers showing the ratio "portage used with defaults" |
8 |
> > vs. where "[webrsync-gpg] is described in many hardening guides for |
9 |
> > gentoo and widely used among the security conscious" applies? |
10 |
> > |
11 |
> > DNS not being encrypted is just painting the whole picture. Point |
12 |
> > is, the default is that "emerge --sync" results in a transfer using |
13 |
> > RSYNC (or http). |
14 |
> > |
15 |
> > And by default you cannot compare the result with any authoritative |
16 |
> > source. |
17 |
> > |
18 |
> |
19 |
> Ideally, we can rely on security mechanisms built into git [1], |
20 |
> possibly involving signed commits. |
21 |
> |
22 |
> [1] https://github.com/gentoo/gentoo-portage-rsync-mirror |
23 |
|
24 |
|
25 |
Actually, git makes it nearly impossible to get the correct info |
26 |
required to re-process the git commit signature. It is all embedded |
27 |
into the commit itself, but not in a way for gpg to be able to |
28 |
re-verify it. Git relies on the issuer's gpg verification status which |
29 |
it records in it's data before the push. So, without some major |
30 |
hacking on git data, it is not viable for routine verification purposes. |
31 |
|
32 |
When we move from cvs to git, newer git makes it possible to git push |
33 |
--sign. That info is available on the recieving server and the |
34 |
receiving server also runs gpg to verifiy the incoming data. |
35 |
|
36 |
Only problem there is git does not store that data. There is however a |
37 |
hook that gathers the info and saves it in git's metadata for that |
38 |
repo. That makes it possible to run a verification on the repo at any |
39 |
other time. Not just during the recieve operation. |
40 |
|
41 |
When we do move to a git tree. My information is that pushes will not |
42 |
contain a signed manifest like they are now for cvs. Instead the |
43 |
Manifest files will be generated for the rsync distribution tree and |
44 |
signed with gentoo gpg key. Replicating the existing tree structure. |
45 |
|
46 |
I will likely have a patch for portage very soon which uses gkeys libs |
47 |
to verify the Manifests. gkeys-9999 is able to verify the Manifest |
48 |
files now if the gentoo-devs keys are installed. |
49 |
|
50 |
Main questions for now is. Do we want to have a post sync hook that |
51 |
checks the tree for invalid Manifest sigs? Or do we just have it |
52 |
verify the manifest for the pkg at build/merge time? Or both? |
53 |
|
54 |
-- |
55 |
Brian Dolbec <dolsen> |