| 1 |
Sorry for the html. Here's a more legible version of my last post: |
| 2 |
|
| 3 |
>Why not just take out those points in between? |
| 4 |
> |
| 5 |
>GENTOO_MIRRORS="http://gentoo.osuosl.org" emerge-webrsync |
| 6 |
> |
| 7 |
> |
| 8 |
|
| 9 |
Huh? How does this protect me from a potential MITM attack at my ISP, or |
| 10 |
on my neighbor's insecure wireless network, which my laptop is currently |
| 11 |
attached to? A simple traceroute shows sixteen hops between me and |
| 12 |
gentoo.osuosl.org. That's sixteen potential opportunities for nastiness. |
| 13 |
|
| 14 |
How can I even be sure that I am connecting to gentoo.osuosl.org, when |
| 15 |
rsync is completely anonymous, with no ssl, no certificate chain, |
| 16 |
nothing to verify the server's identity other than its rsync banner??? |
| 17 |
|
| 18 |
I might care less about about verifying the integrity of my portage |
| 19 |
tree, if I could at least be more certain of what server I'm connecting |
| 20 |
to! Having neither assurance is a bit unsettling on a production machine. |
| 21 |
|
| 22 |
>The portage |
| 23 |
>team would need to implement support for verifying the signature is valid. |
| 24 |
> |
| 25 |
No, they /need/ not, and should not. I would be _thrilled_ to just get a |
| 26 |
signature with my tree, that I can manually verify by firing up gpg. No |
| 27 |
portage support is necessary for this interim solution. We all know |
| 28 |
something better is in the works for portage. |
| 29 |
|
| 30 |
Work on portage should absolutely focus on the better, long-term, |
| 31 |
previously agreed-upon solution. |
| 32 |
|
| 33 |
If the devs can just sign the tree, I can verify that my portage is what |
| 34 |
the devs intended me to have, and the devs can continue working on the |
| 35 |
more polished approach. Work on the best solution moves forward, while |
| 36 |
those of us with heightened security needs (today!) can be more |
| 37 |
confident of the integrity of our portage trees. |
| 38 |
|
| 39 |
>The infrastructure team would have to do some careful planning and possibly |
| 40 |
>restructing of job control on the master rsync and cvs servers. |
| 41 |
> |
| 42 |
While there is surely some work in the area of job control, it has been |
| 43 |
pointed out already that the proposed solution is not terribly resource |
| 44 |
intensive. So unless gentoo's infrastructure is already severely |
| 45 |
stretched to the max (is it? how do i know?), I can't see how this is a |
| 46 |
huge obstacle. Is there an admin who can weigh in with an informed |
| 47 |
answer on this? Too much speculation on this point, not enough fact. |
| 48 |
|
| 49 |
>Following this would be plan of action for the case |
| 50 |
>that the all-powerful key is compromised. |
| 51 |
> |
| 52 |
Key management/security/policy is an issue that will need to be |
| 53 |
addressed regardless of the mechanics of any signing process, so I don't |
| 54 |
see how that is a blocker to this proposal. The idea of a master key is |
| 55 |
equally applicable (and optional) to both the proposal on this list, and |
| 56 |
the one currently under development. |
| 57 |
|
| 58 |
> Then there is also the up to six |
| 59 |
>month transition period between this solution and the solution that is |
| 60 |
>currently being implemented. |
| 61 |
> |
| 62 |
If portage support for this temporary hack is not implemented, there is |
| 63 |
clearly no six month transition period. Just that one day, those of us |
| 64 |
who have been manually verifying the signature will no longer need to do so. |
| 65 |
|
| 66 |
|
| 67 |
I must be misunderstanding something, because I still fail to see what |
| 68 |
is so terribly difficult or impractical about merely generating a |
| 69 |
signature file. Hell, this could already be done and implemented in the |
| 70 |
time we've all wasted on this stupid thread. |
| 71 |
|
| 72 |
No one is trying to derail or criticize or block the current |
| 73 |
implementation. We just want some basic assurances (now, today) that the |
| 74 |
scripts we're downloading are legitimately from the gentoo devs, who we |
| 75 |
trust. As it stands, we can verify neither the identity of the rsync |
| 76 |
server, nor the integrity of the portage tree we're downloading. That is |
| 77 |
indeed a problem. And it's one we can mitigate now, even if the best |
| 78 |
solution is still a ways off. |
| 79 |
|
| 80 |
|
| 81 |
Cheers, |
| 82 |
|
| 83 |
|
| 84 |
-C- |
Archives