| 1 |
On Sat, 07 Mar 2015 15:26:26 -0800 |
| 2 |
Zac Medico <zmedico@g.o> wrote: |
| 3 |
|
| 4 |
> On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
| 5 |
> > We're on the same side here. |
| 6 |
> > |
| 7 |
> > Do we have numbers showing the ratio "portage used with defaults" |
| 8 |
> > vs. where "[webrsync-gpg] is described in many hardening guides for |
| 9 |
> > gentoo and widely used among the security conscious" applies? |
| 10 |
> > |
| 11 |
> > DNS not being encrypted is just painting the whole picture. Point |
| 12 |
> > is, the default is that "emerge --sync" results in a transfer using |
| 13 |
> > RSYNC (or http). |
| 14 |
> > |
| 15 |
> > And by default you cannot compare the result with any authoritative |
| 16 |
> > source. |
| 17 |
> > |
| 18 |
> |
| 19 |
> Ideally, we can rely on security mechanisms built into git [1], |
| 20 |
> possibly involving signed commits. |
| 21 |
> |
| 22 |
> [1] https://github.com/gentoo/gentoo-portage-rsync-mirror |
| 23 |
|
| 24 |
|
| 25 |
Actually, git makes it nearly impossible to get the correct info |
| 26 |
required to re-process the git commit signature. It is all embedded |
| 27 |
into the commit itself, but not in a way for gpg to be able to |
| 28 |
re-verify it. Git relies on the issuer's gpg verification status which |
| 29 |
it records in it's data before the push. So, without some major |
| 30 |
hacking on git data, it is not viable for routine verification purposes. |
| 31 |
|
| 32 |
When we move from cvs to git, newer git makes it possible to git push |
| 33 |
--sign. That info is available on the recieving server and the |
| 34 |
receiving server also runs gpg to verifiy the incoming data. |
| 35 |
|
| 36 |
Only problem there is git does not store that data. There is however a |
| 37 |
hook that gathers the info and saves it in git's metadata for that |
| 38 |
repo. That makes it possible to run a verification on the repo at any |
| 39 |
other time. Not just during the recieve operation. |
| 40 |
|
| 41 |
When we do move to a git tree. My information is that pushes will not |
| 42 |
contain a signed manifest like they are now for cvs. Instead the |
| 43 |
Manifest files will be generated for the rsync distribution tree and |
| 44 |
signed with gentoo gpg key. Replicating the existing tree structure. |
| 45 |
|
| 46 |
I will likely have a patch for portage very soon which uses gkeys libs |
| 47 |
to verify the Manifests. gkeys-9999 is able to verify the Manifest |
| 48 |
files now if the gentoo-devs keys are installed. |
| 49 |
|
| 50 |
Main questions for now is. Do we want to have a post sync hook that |
| 51 |
checks the tree for invalid Manifest sigs? Or do we just have it |
| 52 |
verify the manifest for the pkg at build/merge time? Or both? |
| 53 |
|
| 54 |
-- |
| 55 |
Brian Dolbec <dolsen> |
Archives