1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
5 |
> On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
6 |
>> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
7 |
>>> You crossed sections, but let's collapse both to: |
8 |
>>> |
9 |
>>> Bare minimum requirements: |
10 |
>>> 3. Key expiry: 6 months min, 3 years max. |
11 |
>>> Recommendations: |
12 |
>>> 4.1. Root key: 6 months min, 3 year max; |
13 |
>>> 4.2. Signing subkey: 3 months min, 1 year max; |
14 |
>>> 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
15 |
>> How are we planning on updating keys on user's systems to verify things? |
16 |
>> I only ask because 3 months on the signing key means whatever we do |
17 |
>> needs to happen *securely* every 3 months at most. So like, if we are |
18 |
>> pushing an ebuild with a keyring then we have to update it every 2 |
19 |
>> months so keys don't expire and then that would break if the user |
20 |
>> doesn't update every 3 months... Might be an issue as we try as a whole |
21 |
>> to keep systems updatable for 1 year. |
22 |
> So some more details regarding how we plan to deploy keys is probably |
23 |
> needed here. It was out of scope for the discussion about what keys |
24 |
> should look like. |
25 |
> |
26 |
> There are a few parts to it: |
27 |
> - gentoo-keys (lead by dolsen) |
28 |
> This is a mostly infra-level tool that takes the data in LDAP, does |
29 |
> validation, mixes in the keys from keyserver/homedir, and generates |
30 |
> keyrings. |
31 |
> - keyring packages: |
32 |
> Thus far, based on the Debian keyring model, where keyrings of trusted |
33 |
> keys are installed locally in /usr/share/keyrings/, and the package |
34 |
> manager (or other tools) looks there for validation. I've got a few |
35 |
> planned so far: |
36 |
> $CAT/gentoo-dev-keyring |
37 |
> $CAT/gentoo-releng-keyring |
38 |
> $CAT/gentoo-master-keyring |
39 |
> To ease the 1-year-updatability requirement, these three packages |
40 |
> should explicitly be signed by the master key (and not a dev key), |
41 |
> which has a much longer validity. This would always enable you to |
42 |
> rsync, install the latest gentoo-dev-keyring, and then install other |
43 |
> packages thereafter. |
44 |
I think this is a great idea, BUT, we would need to handle "the latest |
45 |
gentoo-dev-keyring" like portage updates used to be handled. If there |
46 |
is an update, warn the user, and if gentoo-dev-keyring is in the update |
47 |
list it *must* be merged first. Again, these implementation details |
48 |
don't necessarily have to be in the glep, but we need to make sure as we |
49 |
go through that we account for such things. My day job is pretty much |
50 |
running man in the middle on things and laughing at the result, so I'm |
51 |
super excited to see all this hard work going in. |
52 |
|
53 |
> - layman keyrings: |
54 |
> dolsen is also working on allowing overlays to specify keyrings in the |
55 |
> repositories.xml; there's a few unanswered questions about how to |
56 |
> ensure nobody does MITM attacks on those keyrings (either convince the |
57 |
> overlays admins to change the URL to the keyring, or simply intercept |
58 |
> requests for the keyring itself). This maps to how Ubuntu's Launchpad |
59 |
> handles keys for PPAs. |
60 |
|
61 |
It is really tough to bootstrap things like this. honestly I would |
62 |
suggest that this is good enough and overlay maintainers who really care |
63 |
can post things on their website to help further manual verification. |
64 |
Not that we should ignore issues here, but I wouldn't spend dozens of |
65 |
hours trying to figure out how we secure overlays full of non-gentoo |
66 |
official content. For the official ones we can sign their key with the |
67 |
master key and that should take care of any trust issues. |
68 |
> |
69 |
> TODO: |
70 |
> We need a way for a given repo, once installed, to specify what keyrings |
71 |
> to use for validation. I'm thinking of adding it to |
72 |
> metadata/layout.conf. |
73 |
> The main gentoo-x86 repo would have for example: |
74 |
> keyrings = gentoo-master gentoo-releng gentoo-dev |
75 |
> |
76 |
> Overlays might have: |
77 |
> keyrings = gentoo-overlay-mysql |
78 |
> |
79 |
Love it. This should probably make it into the glep. |
80 |
|
81 |
Thanks, |
82 |
Zero |
83 |
-----BEGIN PGP SIGNATURE----- |
84 |
Version: GnuPG v2.0.22 (GNU/Linux) |
85 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
86 |
|
87 |
iQIcBAEBAgAGBQJShpFdAAoJEKXdFCfdEflKtpQQALDKZfiVfSbRZJEg/fTEvpUo |
88 |
CpMl+h4zxNxZQV3sE5GTZyhFfTGQ+2B+leS4pxDFgKVSmu+bu6rzYGgU5+BdrvKt |
89 |
Vg6DrKe56HkmKu6kB28VuXVZ+euXPF0fyjcO/fr3ij1KvEdEz3ALea+GZ1dbEgr4 |
90 |
hD0XV6mKCQZ6qAnaSETpaQERgcXcw/6tgYGAhY4yy5Q+0ECEB6/fe3kWDeDuw0iK |
91 |
FyLkiawh6GilTmm8h2e5isFipGL+Wqwnqa0xeuJbD/2FlfZjnA3RzsE0vY5Snw4r |
92 |
9a3UoDHUtGcmNUn5S62iPJRPAzNu1EoYBwAVIMIX5qHmnTSZ+G04lHLeLLLDmr8b |
93 |
L/W470IP/MhqcKcrXHJlcHvOMDvEz5jxnbPdEcv6dB3FCzaIN6gC80B0sUKco+lU |
94 |
00Eq3qjneo58zQi01lMsu5LFx0lfL55w/Bb6uRb38RtUcxLgzrTTyLawzqM0KJNw |
95 |
ZxUX3KcTYHvIBj4ZLEffOmvEBNcIC4R9sDV8aD2ENPQvZt3IH3izCgSKKz7TiiaW |
96 |
4xmQJtgT8zGSLbuBfSap9wK2+JVSKro97plBxBUe4Ay1hVlYYINRYWusQqciIf3N |
97 |
KehGd7oAQa6f4QjsxrqknvAEPW9JpAFQRhphkzv+z942kCg4abDUVu8ltuseHDeX |
98 |
WiUnfhquOGimc8QeXXJx |
99 |
=UxX6 |
100 |
-----END PGP SIGNATURE----- |