1 |
Kurt Lieber writes: |
2 |
|
3 |
>> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
4 |
>> the Gentoo main system. |
5 |
>> |
6 |
>> (2) Sign the output with GPG. |
7 |
>> |
8 |
>> (3) Put it into the portage tree. |
9 |
>> |
10 |
>> (4) If the user has GPG installed and has manually put the |
11 |
>> appropriate public key in some place _outside_ of the |
12 |
>> portage tree, have "emerge sync" verify that the |
13 |
>> signature is intact and all hashes hold. |
14 |
|
15 |
> Let's assume we implement the above steps. What does that |
16 |
> buy you? |
17 |
|
18 |
It makes it impossible to temper with the portage tree for |
19 |
everyone except those who have access to the secret key. |
20 |
This rules out ... |
21 |
|
22 |
(1) man-in-the-middle attacks over the network, |
23 |
|
24 |
(2) attacks from random mirror admins, |
25 |
|
26 |
(3) attacks from random Gentoo developers. |
27 |
|
28 |
Furthermore, if you have one GPG key per developer and |
29 |
authenticate those keys with another GPG key that's not |
30 |
available on a machine connected to the network, then you |
31 |
also have significantly more auditing capabilities than you |
32 |
have right now. |
33 |
|
34 |
|
35 |
> How do you know how many people have a copy of the |
36 |
> private key used to sign that data? |
37 |
|
38 |
The scheme doesn't protect me against a compromised GPG key. |
39 |
|
40 |
|
41 |
> How do you know what sort of passphrase is used on it? |
42 |
|
43 |
I do not know. Instead, I trust the Gentoo developers to |
44 |
choose a sensible one because I know you guys are really |
45 |
smart and capable technicians. |
46 |
|
47 |
|
48 |
> Most importantly, how do you know when to stop? At some |
49 |
> point, you're going to have to accept some level of risk. |
50 |
|
51 |
Sorry, but I always get nervous when I am talking about a |
52 |
very specific technical problem and people answer with very |
53 |
general, philosophical thoughts. I _know_ that I have to |
54 |
trust someone sooner or later. But let's keep the number of |
55 |
people I have to trust as small as possible. |
56 |
|
57 |
Right now, I have to trust the entire network. I don't know |
58 |
about others, but that's slightly above the level of risk I |
59 |
am willing to accept. |
60 |
|
61 |
Peter |
62 |
|
63 |
|
64 |
-- |
65 |
gentoo-security@g.o mailing list |