| 1 |
Finally, a message I can fully agree with. |
| 2 |
|
| 3 |
As there is a quick and dirty solution to improve the situation -- even |
| 4 |
with the understanding that it is not the "best" or "ideal" solution -- |
| 5 |
I would encourage the gentoo devs to implement it. It really doesn't |
| 6 |
seem like rocket science. |
| 7 |
|
| 8 |
I do consider it a significant problem that I cannot accurately verify |
| 9 |
that everything in my portage tree came from a trusted source. Agreed, |
| 10 |
MOTM attacks are not common. However, it would seem important to have |
| 11 |
some sort of "audit trail" to verify that portage is what it's supposed |
| 12 |
to be. Not only is this good proactive security, but it might also |
| 13 |
prove useful in tracking the source of some security problem. |
| 14 |
|
| 15 |
An interim signing solution, as mentioned already in this list, would |
| 16 |
provide at least a mechanism (maybe not a great one, but one |
| 17 |
nonetheless) by which a user can verify that the files downloaded to his |
| 18 |
gentoo machine are those the developers intended to distribute. |
| 19 |
|
| 20 |
I trust the devs implicitly, but I do not trust, nor can I control, most |
| 21 |
of the points between them and me. |
| 22 |
|
| 23 |
I think ultimately the existing plan, to implement full gpg signing of |
| 24 |
each file in portage, is definitely the way to go. In the meantime, |
| 25 |
while the infrastructure is laid for the superior, longterm proposal, |
| 26 |
why not spend an hour to provide an interim, if not ideal, solution? |
| 27 |
|
| 28 |
Devs, what have you to lose by helping us do this? I don't think I |
| 29 |
understand the resistance, outside of the emotional reaction triggered |
| 30 |
by this thread's initiator. |
| 31 |
|
| 32 |
|
| 33 |
My $.02. |
| 34 |
|
| 35 |
|
| 36 |
-C- |
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
Chris Frey wrote: |
| 42 |
|
| 43 |
>On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote: |
| 44 |
> |
| 45 |
> |
| 46 |
>>>not prompted the beginning of a new initiative in signing the tree |
| 47 |
>>> |
| 48 |
>>> |
| 49 |
>>because that was already underway. I very much doubt that it'll speed |
| 50 |
>>up the progress made on that initiative, because the main limiting |
| 51 |
>>factor is time. No matter what is said here, it's not going to make |
| 52 |
>>anybody go out and quit their jobs in order to get tree signing |
| 53 |
>>implemented quicker. |
| 54 |
>> |
| 55 |
>> |
| 56 |
> |
| 57 |
>The problem with phrasing it this way is that it implies there is only |
| 58 |
>one way to address this issue. It may be true that Gentoo has decided |
| 59 |
>on only one way to address the issue, but there are other ways to do it. |
| 60 |
> |
| 61 |
>The current development effort that is underway is not one that can be |
| 62 |
>implemented overnight, but there is a solution that manages to satisfy |
| 63 |
>the core needs of this thread that can be implemented overnight. |
| 64 |
> |
| 65 |
>The requirements are: |
| 66 |
> |
| 67 |
> * admin access on the main Gentoo server |
| 68 |
> * a cron job |
| 69 |
> * a GPG key on the server |
| 70 |
> * a script to do the heavy lifting |
| 71 |
> |
| 72 |
>Of those items, only the script can be written by us normal users, |
| 73 |
>in order to help out in the Open Source way. The people with admin |
| 74 |
>access to the main Gentoo server do not appear willing to install such |
| 75 |
>a script, even if someone else writes it. (And I'm sure Peter would |
| 76 |
>jump at the chance to write it, and practically has already, and I'd |
| 77 |
>definitely be willing to help.) |
| 78 |
> |
| 79 |
>I asked this before, and saw no response, so maybe it was missed in the |
| 80 |
>pile of messages. I'll ask again: |
| 81 |
> |
| 82 |
> If someone posted a working and self-tested script to this mailing |
| 83 |
> list, would Gentoo admins be willing to install it, provided it |
| 84 |
> passed the peer review on this list? (i.e. contained no glaring bugs) |
| 85 |
> |
| 86 |
>If the answer was yes, this thread would be over. |
| 87 |
> |
| 88 |
>- Chris |
| 89 |
> |
| 90 |
> |
| 91 |
>-- |
| 92 |
>gentoo-security@g.o mailing list |
| 93 |
> |
| 94 |
> |
| 95 |
> |
Archives