| 1 |
On Fri, 2013-11-15 at 16:25 -0500, Rick "Zero_Chaos" Farina wrote: |
| 2 |
> On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
| 3 |
> > On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
| 4 |
> >> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
| 5 |
> >>> You crossed sections, but let's collapse both to: |
| 6 |
> >>> |
| 7 |
> >>> Bare minimum requirements: |
| 8 |
> >>> 3. Key expiry: 6 months min, 3 years max. |
| 9 |
> >>> Recommendations: |
| 10 |
> >>> 4.1. Root key: 6 months min, 3 year max; |
| 11 |
> >>> 4.2. Signing subkey: 3 months min, 1 year max; |
| 12 |
> >>> 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
| 13 |
> >> How are we planning on updating keys on user's systems to verify things? |
| 14 |
> >> I only ask because 3 months on the signing key means whatever we do |
| 15 |
> >> needs to happen *securely* every 3 months at most. So like, if we are |
| 16 |
> >> pushing an ebuild with a keyring then we have to update it every 2 |
| 17 |
> >> months so keys don't expire and then that would break if the user |
| 18 |
> >> doesn't update every 3 months... Might be an issue as we try as a whole |
| 19 |
> >> to keep systems updatable for 1 year. |
| 20 |
> > So some more details regarding how we plan to deploy keys is probably |
| 21 |
> > needed here. It was out of scope for the discussion about what keys |
| 22 |
> > should look like. |
| 23 |
> > |
| 24 |
> > There are a few parts to it: |
| 25 |
> > - gentoo-keys (lead by dolsen) |
| 26 |
> > This is a mostly infra-level tool that takes the data in LDAP, does |
| 27 |
> > validation, mixes in the keys from keyserver/homedir, and generates |
| 28 |
> > keyrings. |
| 29 |
|
| 30 |
Not quite right. The gentoo-keys project is a repository with two main |
| 31 |
components. |
| 32 |
|
| 33 |
1) gkeyldap cli and python pkg. This is all the code that needs to run |
| 34 |
on infra machines to get the data from ldap and generate the dev seed |
| 35 |
file. It will likely never be installed on a user system (but some noob |
| 36 |
will likely try). It could be adapted to run on other derivative |
| 37 |
distro's with some additional code wrapping or patches. Or they could |
| 38 |
just create their own script to generate the seed files. Please note |
| 39 |
that seed files can be manually generated and maintained using the gkey |
| 40 |
app in 2 below. |
| 41 |
|
| 42 |
2) gkey cli and python pkg. |
| 43 |
|
| 44 |
a) This is the code and library that will be installed on users and |
| 45 |
infra systems to manage and install the keys to the appropriate keyring |
| 46 |
or keyrings. It will have code for doing regular maintenance and upkeep |
| 47 |
of the keyrings. As I see it so far, there will be no need for it to |
| 48 |
require binary keyrings or ebuilds with version bumps to perform |
| 49 |
updates. It will be able to download updated seed files just like |
| 50 |
layman does with the repositories.xml file. keyring updates can be done |
| 51 |
automatically with a cron job, emerge --sync hook or even make use of |
| 52 |
it's python API to run the maintenance actions from within the package |
| 53 |
manager (see b) |
| 54 |
|
| 55 |
b) A python library of predefined functions and methods to perform |
| 56 |
the regular verification and maintenance operations. They will be |
| 57 |
available from both the cli interface supplied or through use of it's |
| 58 |
python API. |
| 59 |
|
| 60 |
c) a cli interface for performing all the operations it is capable of. |
| 61 |
|
| 62 |
d) It leaves open the possibility of getting a gui interface that |
| 63 |
users can use for maintenance. Hey, I wouldn't code it any other way |
| 64 |
than to be able to switch out the interface without having to recode the |
| 65 |
operational routines. |
| 66 |
|
| 67 |
|
| 68 |
Ebuild installed seed files could be done as well for overlay use or |
| 69 |
other repositories of pkgs whether layman maintained or not. They would |
| 70 |
be subject to regular tree rules. All that is needed is to install the |
| 71 |
keyring's seed file to the gkey seedfile directory and call the gkey cli |
| 72 |
with the correct parameters for it to install the keys it specifies. |
| 73 |
Something easily done the the pkg_post_intall(). |
| 74 |
|
| 75 |
> > - keyring packages: |
| 76 |
> > Thus far, based on the Debian keyring model, where keyrings of trusted |
| 77 |
> > keys are installed locally in /usr/share/keyrings/, and the package |
| 78 |
> > manager (or other tools) looks there for validation. I've got a few |
| 79 |
> > planned so far: |
| 80 |
> > $CAT/gentoo-dev-keyring |
| 81 |
> > $CAT/gentoo-releng-keyring |
| 82 |
|
| 83 |
Yes, the code is set up for those 2 primary seed files and keyrings. |
| 84 |
They are not also needed to be installed via ebuild. The url's will be |
| 85 |
included in the pkg, They will be downloaded and installed the same as |
| 86 |
layman's repositories.xml file. It will save having it be version |
| 87 |
bumped up to several times a day in the case of the dev's seed file. |
| 88 |
I have yet to add the code in gkeyldap to check if the new seed file has |
| 89 |
indeed changed or not before changing the existing seed file. The gkey |
| 90 |
sync operation will send the "if-Modified-since" header like I did for |
| 91 |
layman-2.0, so only an updated seed file will trigger an update to the |
| 92 |
keys the seed file is responsible for and installed on the user's |
| 93 |
system. |
| 94 |
|
| 95 |
The dev keyrings are set up to be one keyring per dev. all under one |
| 96 |
umbrella dev-keyring directory. This was the setup requested by Brian |
| 97 |
Harring, to be used for the git commit verification hooks. It also |
| 98 |
provides some cross contamination protection. |
| 99 |
|
| 100 |
|
| 101 |
> > $CAT/gentoo-master-keyring |
| 102 |
Interesting... Good idea :) |
| 103 |
|
| 104 |
I have also started setting up a known_seeds variable to be used |
| 105 |
similarly to layman's repositories.xml. It could be for keys known to |
| 106 |
us for non-dev commits to official overlays and such. But have not put |
| 107 |
much thought into it. At any rate the code will be there to handle it |
| 108 |
regardless if it comes into being or not. |
| 109 |
|
| 110 |
> > To ease the 1-year-updatability requirement, these three packages |
| 111 |
> > should explicitly be signed by the master key (and not a dev key), |
| 112 |
> > which has a much longer validity. This would always enable you to |
| 113 |
> > rsync, install the latest gentoo-dev-keyring, and then install other |
| 114 |
> > packages thereafter. |
| 115 |
> I think this is a great idea, BUT, we would need to handle "the latest |
| 116 |
> gentoo-dev-keyring" like portage updates used to be handled. If there |
| 117 |
> is an update, warn the user, and if gentoo-dev-keyring is in the update |
| 118 |
> list it *must* be merged first. Again, these implementation details |
| 119 |
> don't necessarily have to be in the glep, but we need to make sure as we |
| 120 |
> go through that we account for such things. My day job is pretty much |
| 121 |
> running man in the middle on things and laughing at the result, so I'm |
| 122 |
> super excited to see all this hard work going in. |
| 123 |
> |
| 124 |
> > - layman keyrings: |
| 125 |
> > dolsen is also working on allowing overlays to specify keyrings in the |
| 126 |
> > repositories.xml; there's a few unanswered questions about how to |
| 127 |
> > ensure nobody does MITM attacks on those keyrings (either convince the |
| 128 |
> > overlays admins to change the URL to the keyring, or simply intercept |
| 129 |
> > requests for the keyring itself). This maps to how Ubuntu's Launchpad |
| 130 |
> > handles keys for PPAs. |
| 131 |
> |
| 132 |
> It is really tough to bootstrap things like this. honestly I would |
| 133 |
> suggest that this is good enough and overlay maintainers who really care |
| 134 |
> can post things on their website to help further manual verification. |
| 135 |
> Not that we should ignore issues here, but I wouldn't spend dozens of |
| 136 |
> hours trying to figure out how we secure overlays full of non-gentoo |
| 137 |
> official content. For the official ones we can sign their key with the |
| 138 |
> master key and that should take care of any trust issues. |
| 139 |
|
| 140 |
The fingerprint for the overlay's signed seed file could be added to |
| 141 |
repositories.xml which is controlled by gentoo devs and signed by the |
| 142 |
master key. That should take care of our end of it. Of course the user |
| 143 |
must take responsibility for installing and using the overlay ebuilds in |
| 144 |
the first place, so we can not offer any guarantees as to the validity |
| 145 |
of the overlay and the keys it offers unless it is an official overlay. |
| 146 |
For that use case any non-dev's must supply an equivalent of a dev's gpg |
| 147 |
signing key, following the same rules as dev's for it. It is those keys |
| 148 |
which we may have to create a central repo for, since they will not have |
| 149 |
a dev.g.o account to store them in (if that is the route taken). |
| 150 |
|
| 151 |
> > |
| 152 |
> > TODO: |
| 153 |
> > We need a way for a given repo, once installed, to specify what keyrings |
| 154 |
> > to use for validation. I'm thinking of adding it to |
| 155 |
> > metadata/layout.conf. |
| 156 |
> > The main gentoo-x86 repo would have for example: |
| 157 |
> > keyrings = gentoo-master gentoo-releng gentoo-dev |
| 158 |
> > |
| 159 |
> > Overlays might have: |
| 160 |
> > keyrings = gentoo-overlay-mysql |
| 161 |
> > |
| 162 |
> Love it. This should probably make it into the glep. |
| 163 |
> |
| 164 |
> Thanks, |
| 165 |
> Zero |
| 166 |
|
| 167 |
|
| 168 |
Sounds good to me. |
| 169 |
|
| 170 |
P.S. OH my, this turned out to be along reply :/ |
| 171 |
But I hope it clears up any questions people may have about it. |
| 172 |
It is a work in progress... |
| 173 |
-- |
| 174 |
Brian Dolbec <dolsen@g.o> |
Archives