1 |
On 03/08/2015 08:02 AM, Mark Kubacki wrote: |
2 |
> On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
3 |
>> |
4 |
>> And by default you cannot compare the result with any authoritative source. |
5 |
> |
6 |
> 2015-03-08 0:26 GMT+01:00 Zac Medico <zmedico@g.o>: |
7 |
>> |
8 |
>> Ideally, we can rely on security mechanisms built into git [1], possibly |
9 |
>> involving signed commits. |
10 |
> |
11 |
> Some brownfield thinking here, without GIT and not replacing GIT: |
12 |
> |
13 |
> 1. Find and compile all directories two levels deep in a file |
14 |
> "category.idx" and sign it. |
15 |
> 2. Sign every Manifest. |
16 |
> 3. Distribute that as usual. |
17 |
> |
18 |
> Will need N+1 checks (N × Manifest + 1 × category present/missing) and |
19 |
> doesn't break anything already deployed. |
20 |
|
21 |
I think it's an unnecessary expenditure of effort to implement our own |
22 |
Merkle tree, considering that git's Merkle tree is good enough for the |
23 |
time being, and will likely implement stronger security soon enough. |
24 |
|
25 |
> Contributors (individuals, teams) need to provide a public key before |
26 |
> submitting, and the "mirror source" (authority) just checks against |
27 |
> the author's signature |
28 |
|
29 |
Ideally, this signature check would be implemented as a server-side git |
30 |
hook, so that a push would be automatically rejected if any of the |
31 |
pushed commits lacked a good signature. |
32 |
|
33 |
> and signs (1) and (2) with its own key |
34 |
> ("official portage tree root key X"). That way, in the end, it's |
35 |
> enough to announce only one signing key for every tree. |
36 |
|
37 |
Or just rely on signed commits in git. We can automatically generate an |
38 |
empty signed commit with the root key every 30 minutes or something like |
39 |
that. |
40 |
|
41 |
> (It's easier with binhosts, because all you need to sign is "Packages{,gz}".) |
42 |
|
43 |
Yes, much easier. We might also want to embed signatures directly in |
44 |
each binary package, so that they can be independently verified without |
45 |
needing a copy of the original Packages file. |
46 |
-- |
47 |
Thanks, |
48 |
Zac |