| 1 |
On Wed, Feb 18, 2009 at 11:27:41PM +0100, Robert Buchholz wrote: |
| 2 |
> On Wednesday 18 February 2009, Robin H. Johnson wrote: |
| 3 |
> > Using the converse, all files covered by AUX, DIST, MISC have GIT |
| 4 |
> > SHA1 commit ids. Explicitly performing a checksum on them is not |
| 5 |
> > needed, just extract it from Git. |
| 6 |
> These hashes would need to be regenerated for the rsync though, because |
| 7 |
> otherwise it does not provide integrity and this would make tree |
| 8 |
> signing impossible. Overlays would have to abandon the hashes though, |
| 9 |
> otherwise you'll get the same merge trouble again. |
| 10 |
On the git->rsync gateway: |
| 11 |
For non-distfiles: |
| 12 |
1. Extract SHA1 from Git |
| 13 |
2. Compare to actual file (Git does this implicitly, esp if you have |
| 14 |
signed Git commits, but you can check again if you want). |
| 15 |
3. Generate SHA256/RMD160/other. |
| 16 |
4. Append the full hash to Manifest. |
| 17 |
|
| 18 |
> It'll also ease attacks on distfiles when first mirroring them. |
| 19 |
Umm, no, you missed part of what I said. I noted that the newer |
| 20 |
Manifests in Git would contain the hashes for ONLY the distfiles, not |
| 21 |
for other files. Distfiles suffer zero reduction in security. |
| 22 |
The master box is NEVER generating the hash for a distfile. |
| 23 |
|
| 24 |
For distfiles: |
| 25 |
(server side) |
| 26 |
1. Full set of hashes (SHA1/SHA256/RMD160) is already in Manifest (in a |
| 27 |
GPG-signed Git commit). |
| 28 |
2. Verify the hash on mirroring the file |
| 29 |
(client side) |
| 30 |
3. Verify the hashes/distfile as normal. |
| 31 |
|
| 32 |
> hash and (2) only one box would need to be attacked via |
| 33 |
> man-in-the-middle, whereas it is currently two. |
| 34 |
Your count of needing to attack two boxes presently is wrong. Just pick |
| 35 |
some community rsyncNN.CC.gentoo.org that also hosts distfiles via |
| 36 |
HTTP/FTP, and attack that box, replacing both a Manifest and the |
| 37 |
distfile. |
| 38 |
|
| 39 |
-- |
| 40 |
Robin Hugh Johnson |
| 41 |
Gentoo Linux Developer & Infra Guy |
| 42 |
E-Mail : robbat2@g.o |
| 43 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives