Gentoo Archives: gentoo-portage-dev

From: Zac Medico <zmedico@g.o>
To: gentoo-portage-dev@l.g.o
Subject: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers
Date: Sun, 08 Mar 2015 21:03:03
Message-Id: 54FCB903.9060900@gentoo.org
In Reply to: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers by Mark Kubacki
1 On 03/08/2015 08:02 AM, Mark Kubacki wrote:
2 > On 03/06/2015 09:50 AM, Mark Kubacki wrote:
3 >>
4 >> And by default you cannot compare the result with any authoritative source.
5 >
6 > 2015-03-08 0:26 GMT+01:00 Zac Medico <zmedico@g.o>:
7 >>
8 >> Ideally, we can rely on security mechanisms built into git [1], possibly
9 >> involving signed commits.
10 >
11 > Some brownfield thinking here, without GIT and not replacing GIT:
12 >
13 > 1. Find and compile all directories two levels deep in a file
14 > "category.idx" and sign it.
15 > 2. Sign every Manifest.
16 > 3. Distribute that as usual.
17 >
18 > Will need N+1 checks (N × Manifest + 1 × category present/missing) and
19 > doesn't break anything already deployed.
20
21 I think it's an unnecessary expenditure of effort to implement our own
22 Merkle tree, considering that git's Merkle tree is good enough for the
23 time being, and will likely implement stronger security soon enough.
24
25 > Contributors (individuals, teams) need to provide a public key before
26 > submitting, and the "mirror source" (authority) just checks against
27 > the author's signature
28
29 Ideally, this signature check would be implemented as a server-side git
30 hook, so that a push would be automatically rejected if any of the
31 pushed commits lacked a good signature.
32
33 > and signs (1) and (2) with its own key
34 > ("official portage tree root key X"). That way, in the end, it's
35 > enough to announce only one signing key for every tree.
36
37 Or just rely on signed commits in git. We can automatically generate an
38 empty signed commit with the root key every 30 minutes or something like
39 that.
40
41 > (It's easier with binhosts, because all you need to sign is "Packages{,gz}".)
42
43 Yes, much easier. We might also want to embed signatures directly in
44 each binary package, so that they can be independently verified without
45 needing a copy of the original Packages file.
46 --
47 Thanks,
48 Zac