1 |
On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
2 |
> |
3 |
> And by default you cannot compare the result with any authoritative source. |
4 |
|
5 |
2015-03-08 0:26 GMT+01:00 Zac Medico <zmedico@g.o>: |
6 |
> |
7 |
> Ideally, we can rely on security mechanisms built into git [1], possibly |
8 |
> involving signed commits. |
9 |
|
10 |
Some brownfield thinking here, without GIT and not replacing GIT: |
11 |
|
12 |
1. Find and compile all directories two levels deep in a file |
13 |
"category.idx" and sign it. |
14 |
2. Sign every Manifest. |
15 |
3. Distribute that as usual. |
16 |
|
17 |
Will need N+1 checks (N × Manifest + 1 × category present/missing) and |
18 |
doesn't break anything already deployed. |
19 |
|
20 |
Contributors (individuals, teams) need to provide a public key before |
21 |
submitting, and the "mirror source" (authority) just checks against |
22 |
the author's signature and signs (1) and (2) with its own key |
23 |
("official portage tree root key X"). That way, in the end, it's |
24 |
enough to announce only one signing key for every tree. |
25 |
|
26 |
(It's easier with binhosts, because all you need to sign is "Packages{,gz}".) |
27 |
|
28 |
There are many interoperable implementations of OpenBSD's "signify" |
29 |
[2] (sha256 + ed25519). Implementations are simple and small enough |
30 |
[3] to be included into Portage to not require GPG. |
31 |
|
32 |
-- |
33 |
Mark |
34 |
|
35 |
[2] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1?query=signify&arch=i386 |
36 |
[3] http://ed25519.cr.yp.to/python/ed25519.py — needs reading the key |
37 |
and hashing the file to be checked |