1 |
Finally, a message I can fully agree with. |
2 |
|
3 |
As there is a quick and dirty solution to improve the situation -- even |
4 |
with the understanding that it is not the "best" or "ideal" solution -- |
5 |
I would encourage the gentoo devs to implement it. It really doesn't |
6 |
seem like rocket science. |
7 |
|
8 |
I do consider it a significant problem that I cannot accurately verify |
9 |
that everything in my portage tree came from a trusted source. Agreed, |
10 |
MOTM attacks are not common. However, it would seem important to have |
11 |
some sort of "audit trail" to verify that portage is what it's supposed |
12 |
to be. Not only is this good proactive security, but it might also |
13 |
prove useful in tracking the source of some security problem. |
14 |
|
15 |
An interim signing solution, as mentioned already in this list, would |
16 |
provide at least a mechanism (maybe not a great one, but one |
17 |
nonetheless) by which a user can verify that the files downloaded to his |
18 |
gentoo machine are those the developers intended to distribute. |
19 |
|
20 |
I trust the devs implicitly, but I do not trust, nor can I control, most |
21 |
of the points between them and me. |
22 |
|
23 |
I think ultimately the existing plan, to implement full gpg signing of |
24 |
each file in portage, is definitely the way to go. In the meantime, |
25 |
while the infrastructure is laid for the superior, longterm proposal, |
26 |
why not spend an hour to provide an interim, if not ideal, solution? |
27 |
|
28 |
Devs, what have you to lose by helping us do this? I don't think I |
29 |
understand the resistance, outside of the emotional reaction triggered |
30 |
by this thread's initiator. |
31 |
|
32 |
|
33 |
My $.02. |
34 |
|
35 |
|
36 |
-C- |
37 |
|
38 |
|
39 |
|
40 |
|
41 |
Chris Frey wrote: |
42 |
|
43 |
>On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote: |
44 |
> |
45 |
> |
46 |
>>>not prompted the beginning of a new initiative in signing the tree |
47 |
>>> |
48 |
>>> |
49 |
>>because that was already underway. I very much doubt that it'll speed |
50 |
>>up the progress made on that initiative, because the main limiting |
51 |
>>factor is time. No matter what is said here, it's not going to make |
52 |
>>anybody go out and quit their jobs in order to get tree signing |
53 |
>>implemented quicker. |
54 |
>> |
55 |
>> |
56 |
> |
57 |
>The problem with phrasing it this way is that it implies there is only |
58 |
>one way to address this issue. It may be true that Gentoo has decided |
59 |
>on only one way to address the issue, but there are other ways to do it. |
60 |
> |
61 |
>The current development effort that is underway is not one that can be |
62 |
>implemented overnight, but there is a solution that manages to satisfy |
63 |
>the core needs of this thread that can be implemented overnight. |
64 |
> |
65 |
>The requirements are: |
66 |
> |
67 |
> * admin access on the main Gentoo server |
68 |
> * a cron job |
69 |
> * a GPG key on the server |
70 |
> * a script to do the heavy lifting |
71 |
> |
72 |
>Of those items, only the script can be written by us normal users, |
73 |
>in order to help out in the Open Source way. The people with admin |
74 |
>access to the main Gentoo server do not appear willing to install such |
75 |
>a script, even if someone else writes it. (And I'm sure Peter would |
76 |
>jump at the chance to write it, and practically has already, and I'd |
77 |
>definitely be willing to help.) |
78 |
> |
79 |
>I asked this before, and saw no response, so maybe it was missed in the |
80 |
>pile of messages. I'll ask again: |
81 |
> |
82 |
> If someone posted a working and self-tested script to this mailing |
83 |
> list, would Gentoo admins be willing to install it, provided it |
84 |
> passed the peer review on this list? (i.e. contained no glaring bugs) |
85 |
> |
86 |
>If the answer was yes, this thread would be over. |
87 |
> |
88 |
>- Chris |
89 |
> |
90 |
> |
91 |
>-- |
92 |
>gentoo-security@g.o mailing list |
93 |
> |
94 |
> |
95 |
> |