| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
| 5 |
> On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
| 6 |
>> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
| 7 |
>>> You crossed sections, but let's collapse both to: |
| 8 |
>>> |
| 9 |
>>> Bare minimum requirements: |
| 10 |
>>> 3. Key expiry: 6 months min, 3 years max. |
| 11 |
>>> Recommendations: |
| 12 |
>>> 4.1. Root key: 6 months min, 3 year max; |
| 13 |
>>> 4.2. Signing subkey: 3 months min, 1 year max; |
| 14 |
>>> 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
| 15 |
>> How are we planning on updating keys on user's systems to verify things? |
| 16 |
>> I only ask because 3 months on the signing key means whatever we do |
| 17 |
>> needs to happen *securely* every 3 months at most. So like, if we are |
| 18 |
>> pushing an ebuild with a keyring then we have to update it every 2 |
| 19 |
>> months so keys don't expire and then that would break if the user |
| 20 |
>> doesn't update every 3 months... Might be an issue as we try as a whole |
| 21 |
>> to keep systems updatable for 1 year. |
| 22 |
> So some more details regarding how we plan to deploy keys is probably |
| 23 |
> needed here. It was out of scope for the discussion about what keys |
| 24 |
> should look like. |
| 25 |
> |
| 26 |
> There are a few parts to it: |
| 27 |
> - gentoo-keys (lead by dolsen) |
| 28 |
> This is a mostly infra-level tool that takes the data in LDAP, does |
| 29 |
> validation, mixes in the keys from keyserver/homedir, and generates |
| 30 |
> keyrings. |
| 31 |
> - keyring packages: |
| 32 |
> Thus far, based on the Debian keyring model, where keyrings of trusted |
| 33 |
> keys are installed locally in /usr/share/keyrings/, and the package |
| 34 |
> manager (or other tools) looks there for validation. I've got a few |
| 35 |
> planned so far: |
| 36 |
> $CAT/gentoo-dev-keyring |
| 37 |
> $CAT/gentoo-releng-keyring |
| 38 |
> $CAT/gentoo-master-keyring |
| 39 |
> To ease the 1-year-updatability requirement, these three packages |
| 40 |
> should explicitly be signed by the master key (and not a dev key), |
| 41 |
> which has a much longer validity. This would always enable you to |
| 42 |
> rsync, install the latest gentoo-dev-keyring, and then install other |
| 43 |
> packages thereafter. |
| 44 |
I think this is a great idea, BUT, we would need to handle "the latest |
| 45 |
gentoo-dev-keyring" like portage updates used to be handled. If there |
| 46 |
is an update, warn the user, and if gentoo-dev-keyring is in the update |
| 47 |
list it *must* be merged first. Again, these implementation details |
| 48 |
don't necessarily have to be in the glep, but we need to make sure as we |
| 49 |
go through that we account for such things. My day job is pretty much |
| 50 |
running man in the middle on things and laughing at the result, so I'm |
| 51 |
super excited to see all this hard work going in. |
| 52 |
|
| 53 |
> - layman keyrings: |
| 54 |
> dolsen is also working on allowing overlays to specify keyrings in the |
| 55 |
> repositories.xml; there's a few unanswered questions about how to |
| 56 |
> ensure nobody does MITM attacks on those keyrings (either convince the |
| 57 |
> overlays admins to change the URL to the keyring, or simply intercept |
| 58 |
> requests for the keyring itself). This maps to how Ubuntu's Launchpad |
| 59 |
> handles keys for PPAs. |
| 60 |
|
| 61 |
It is really tough to bootstrap things like this. honestly I would |
| 62 |
suggest that this is good enough and overlay maintainers who really care |
| 63 |
can post things on their website to help further manual verification. |
| 64 |
Not that we should ignore issues here, but I wouldn't spend dozens of |
| 65 |
hours trying to figure out how we secure overlays full of non-gentoo |
| 66 |
official content. For the official ones we can sign their key with the |
| 67 |
master key and that should take care of any trust issues. |
| 68 |
> |
| 69 |
> TODO: |
| 70 |
> We need a way for a given repo, once installed, to specify what keyrings |
| 71 |
> to use for validation. I'm thinking of adding it to |
| 72 |
> metadata/layout.conf. |
| 73 |
> The main gentoo-x86 repo would have for example: |
| 74 |
> keyrings = gentoo-master gentoo-releng gentoo-dev |
| 75 |
> |
| 76 |
> Overlays might have: |
| 77 |
> keyrings = gentoo-overlay-mysql |
| 78 |
> |
| 79 |
Love it. This should probably make it into the glep. |
| 80 |
|
| 81 |
Thanks, |
| 82 |
Zero |
| 83 |
-----BEGIN PGP SIGNATURE----- |
| 84 |
Version: GnuPG v2.0.22 (GNU/Linux) |
| 85 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 86 |
|
| 87 |
iQIcBAEBAgAGBQJShpFdAAoJEKXdFCfdEflKtpQQALDKZfiVfSbRZJEg/fTEvpUo |
| 88 |
CpMl+h4zxNxZQV3sE5GTZyhFfTGQ+2B+leS4pxDFgKVSmu+bu6rzYGgU5+BdrvKt |
| 89 |
Vg6DrKe56HkmKu6kB28VuXVZ+euXPF0fyjcO/fr3ij1KvEdEz3ALea+GZ1dbEgr4 |
| 90 |
hD0XV6mKCQZ6qAnaSETpaQERgcXcw/6tgYGAhY4yy5Q+0ECEB6/fe3kWDeDuw0iK |
| 91 |
FyLkiawh6GilTmm8h2e5isFipGL+Wqwnqa0xeuJbD/2FlfZjnA3RzsE0vY5Snw4r |
| 92 |
9a3UoDHUtGcmNUn5S62iPJRPAzNu1EoYBwAVIMIX5qHmnTSZ+G04lHLeLLLDmr8b |
| 93 |
L/W470IP/MhqcKcrXHJlcHvOMDvEz5jxnbPdEcv6dB3FCzaIN6gC80B0sUKco+lU |
| 94 |
00Eq3qjneo58zQi01lMsu5LFx0lfL55w/Bb6uRb38RtUcxLgzrTTyLawzqM0KJNw |
| 95 |
ZxUX3KcTYHvIBj4ZLEffOmvEBNcIC4R9sDV8aD2ENPQvZt3IH3izCgSKKz7TiiaW |
| 96 |
4xmQJtgT8zGSLbuBfSap9wK2+JVSKro97plBxBUe4Ay1hVlYYINRYWusQqciIf3N |
| 97 |
KehGd7oAQa6f4QjsxrqknvAEPW9JpAFQRhphkzv+z942kCg4abDUVu8ltuseHDeX |
| 98 |
WiUnfhquOGimc8QeXXJx |
| 99 |
=UxX6 |
| 100 |
-----END PGP SIGNATURE----- |
Archives