| 1 |
On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
| 2 |
> |
| 3 |
> And by default you cannot compare the result with any authoritative source. |
| 4 |
|
| 5 |
2015-03-08 0:26 GMT+01:00 Zac Medico <zmedico@g.o>: |
| 6 |
> |
| 7 |
> Ideally, we can rely on security mechanisms built into git [1], possibly |
| 8 |
> involving signed commits. |
| 9 |
|
| 10 |
Some brownfield thinking here, without GIT and not replacing GIT: |
| 11 |
|
| 12 |
1. Find and compile all directories two levels deep in a file |
| 13 |
"category.idx" and sign it. |
| 14 |
2. Sign every Manifest. |
| 15 |
3. Distribute that as usual. |
| 16 |
|
| 17 |
Will need N+1 checks (N × Manifest + 1 × category present/missing) and |
| 18 |
doesn't break anything already deployed. |
| 19 |
|
| 20 |
Contributors (individuals, teams) need to provide a public key before |
| 21 |
submitting, and the "mirror source" (authority) just checks against |
| 22 |
the author's signature and signs (1) and (2) with its own key |
| 23 |
("official portage tree root key X"). That way, in the end, it's |
| 24 |
enough to announce only one signing key for every tree. |
| 25 |
|
| 26 |
(It's easier with binhosts, because all you need to sign is "Packages{,gz}".) |
| 27 |
|
| 28 |
There are many interoperable implementations of OpenBSD's "signify" |
| 29 |
[2] (sha256 + ed25519). Implementations are simple and small enough |
| 30 |
[3] to be included into Portage to not require GPG. |
| 31 |
|
| 32 |
-- |
| 33 |
Mark |
| 34 |
|
| 35 |
[2] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1?query=signify&arch=i386 |
| 36 |
[3] http://ed25519.cr.yp.to/python/ed25519.py — needs reading the key |
| 37 |
and hashing the file to be checked |
Archives