1 |
Sorry for the html. Here's a more legible version of my last post: |
2 |
|
3 |
>Why not just take out those points in between? |
4 |
> |
5 |
>GENTOO_MIRRORS="http://gentoo.osuosl.org" emerge-webrsync |
6 |
> |
7 |
> |
8 |
|
9 |
Huh? How does this protect me from a potential MITM attack at my ISP, or |
10 |
on my neighbor's insecure wireless network, which my laptop is currently |
11 |
attached to? A simple traceroute shows sixteen hops between me and |
12 |
gentoo.osuosl.org. That's sixteen potential opportunities for nastiness. |
13 |
|
14 |
How can I even be sure that I am connecting to gentoo.osuosl.org, when |
15 |
rsync is completely anonymous, with no ssl, no certificate chain, |
16 |
nothing to verify the server's identity other than its rsync banner??? |
17 |
|
18 |
I might care less about about verifying the integrity of my portage |
19 |
tree, if I could at least be more certain of what server I'm connecting |
20 |
to! Having neither assurance is a bit unsettling on a production machine. |
21 |
|
22 |
>The portage |
23 |
>team would need to implement support for verifying the signature is valid. |
24 |
> |
25 |
No, they /need/ not, and should not. I would be _thrilled_ to just get a |
26 |
signature with my tree, that I can manually verify by firing up gpg. No |
27 |
portage support is necessary for this interim solution. We all know |
28 |
something better is in the works for portage. |
29 |
|
30 |
Work on portage should absolutely focus on the better, long-term, |
31 |
previously agreed-upon solution. |
32 |
|
33 |
If the devs can just sign the tree, I can verify that my portage is what |
34 |
the devs intended me to have, and the devs can continue working on the |
35 |
more polished approach. Work on the best solution moves forward, while |
36 |
those of us with heightened security needs (today!) can be more |
37 |
confident of the integrity of our portage trees. |
38 |
|
39 |
>The infrastructure team would have to do some careful planning and possibly |
40 |
>restructing of job control on the master rsync and cvs servers. |
41 |
> |
42 |
While there is surely some work in the area of job control, it has been |
43 |
pointed out already that the proposed solution is not terribly resource |
44 |
intensive. So unless gentoo's infrastructure is already severely |
45 |
stretched to the max (is it? how do i know?), I can't see how this is a |
46 |
huge obstacle. Is there an admin who can weigh in with an informed |
47 |
answer on this? Too much speculation on this point, not enough fact. |
48 |
|
49 |
>Following this would be plan of action for the case |
50 |
>that the all-powerful key is compromised. |
51 |
> |
52 |
Key management/security/policy is an issue that will need to be |
53 |
addressed regardless of the mechanics of any signing process, so I don't |
54 |
see how that is a blocker to this proposal. The idea of a master key is |
55 |
equally applicable (and optional) to both the proposal on this list, and |
56 |
the one currently under development. |
57 |
|
58 |
> Then there is also the up to six |
59 |
>month transition period between this solution and the solution that is |
60 |
>currently being implemented. |
61 |
> |
62 |
If portage support for this temporary hack is not implemented, there is |
63 |
clearly no six month transition period. Just that one day, those of us |
64 |
who have been manually verifying the signature will no longer need to do so. |
65 |
|
66 |
|
67 |
I must be misunderstanding something, because I still fail to see what |
68 |
is so terribly difficult or impractical about merely generating a |
69 |
signature file. Hell, this could already be done and implemented in the |
70 |
time we've all wasted on this stupid thread. |
71 |
|
72 |
No one is trying to derail or criticize or block the current |
73 |
implementation. We just want some basic assurances (now, today) that the |
74 |
scripts we're downloading are legitimately from the gentoo devs, who we |
75 |
trust. As it stands, we can verify neither the identity of the rsync |
76 |
server, nor the integrity of the portage tree we're downloading. That is |
77 |
indeed a problem. And it's one we can mitigate now, even if the best |
78 |
solution is still a ways off. |
79 |
|
80 |
|
81 |
Cheers, |
82 |
|
83 |
|
84 |
-C- |