1 |
On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
2 |
> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
3 |
> > You crossed sections, but let's collapse both to: |
4 |
> > |
5 |
> > Bare minimum requirements: |
6 |
> > 3. Key expiry: 6 months min, 3 years max. |
7 |
> > Recommendations: |
8 |
> > 4.1. Root key: 6 months min, 3 year max; |
9 |
> > 4.2. Signing subkey: 3 months min, 1 year max; |
10 |
> > 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
11 |
> How are we planning on updating keys on user's systems to verify things? |
12 |
> I only ask because 3 months on the signing key means whatever we do |
13 |
> needs to happen *securely* every 3 months at most. So like, if we are |
14 |
> pushing an ebuild with a keyring then we have to update it every 2 |
15 |
> months so keys don't expire and then that would break if the user |
16 |
> doesn't update every 3 months... Might be an issue as we try as a whole |
17 |
> to keep systems updatable for 1 year. |
18 |
So some more details regarding how we plan to deploy keys is probably |
19 |
needed here. It was out of scope for the discussion about what keys |
20 |
should look like. |
21 |
|
22 |
There are a few parts to it: |
23 |
- gentoo-keys (lead by dolsen) |
24 |
This is a mostly infra-level tool that takes the data in LDAP, does |
25 |
validation, mixes in the keys from keyserver/homedir, and generates |
26 |
keyrings. |
27 |
- keyring packages: |
28 |
Thus far, based on the Debian keyring model, where keyrings of trusted |
29 |
keys are installed locally in /usr/share/keyrings/, and the package |
30 |
manager (or other tools) looks there for validation. I've got a few |
31 |
planned so far: |
32 |
$CAT/gentoo-dev-keyring |
33 |
$CAT/gentoo-releng-keyring |
34 |
$CAT/gentoo-master-keyring |
35 |
To ease the 1-year-updatability requirement, these three packages |
36 |
should explicitly be signed by the master key (and not a dev key), |
37 |
which has a much longer validity. This would always enable you to |
38 |
rsync, install the latest gentoo-dev-keyring, and then install other |
39 |
packages thereafter. |
40 |
- layman keyrings: |
41 |
dolsen is also working on allowing overlays to specify keyrings in the |
42 |
repositories.xml; there's a few unanswered questions about how to |
43 |
ensure nobody does MITM attacks on those keyrings (either convince the |
44 |
overlays admins to change the URL to the keyring, or simply intercept |
45 |
requests for the keyring itself). This maps to how Ubuntu's Launchpad |
46 |
handles keys for PPAs. |
47 |
|
48 |
TODO: |
49 |
We need a way for a given repo, once installed, to specify what keyrings |
50 |
to use for validation. I'm thinking of adding it to |
51 |
metadata/layout.conf. |
52 |
The main gentoo-x86 repo would have for example: |
53 |
keyrings = gentoo-master gentoo-releng gentoo-dev |
54 |
|
55 |
Overlays might have: |
56 |
keyrings = gentoo-overlay-mysql |
57 |
|
58 |
-- |
59 |
Robin Hugh Johnson |
60 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
61 |
E-Mail : robbat2@g.o |
62 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |