| 1 |
Kurt Lieber writes: |
| 2 |
|
| 3 |
>> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
| 4 |
>> the Gentoo main system. |
| 5 |
>> |
| 6 |
>> (2) Sign the output with GPG. |
| 7 |
>> |
| 8 |
>> (3) Put it into the portage tree. |
| 9 |
>> |
| 10 |
>> (4) If the user has GPG installed and has manually put the |
| 11 |
>> appropriate public key in some place _outside_ of the |
| 12 |
>> portage tree, have "emerge sync" verify that the |
| 13 |
>> signature is intact and all hashes hold. |
| 14 |
|
| 15 |
> Let's assume we implement the above steps. What does that |
| 16 |
> buy you? |
| 17 |
|
| 18 |
It makes it impossible to temper with the portage tree for |
| 19 |
everyone except those who have access to the secret key. |
| 20 |
This rules out ... |
| 21 |
|
| 22 |
(1) man-in-the-middle attacks over the network, |
| 23 |
|
| 24 |
(2) attacks from random mirror admins, |
| 25 |
|
| 26 |
(3) attacks from random Gentoo developers. |
| 27 |
|
| 28 |
Furthermore, if you have one GPG key per developer and |
| 29 |
authenticate those keys with another GPG key that's not |
| 30 |
available on a machine connected to the network, then you |
| 31 |
also have significantly more auditing capabilities than you |
| 32 |
have right now. |
| 33 |
|
| 34 |
|
| 35 |
> How do you know how many people have a copy of the |
| 36 |
> private key used to sign that data? |
| 37 |
|
| 38 |
The scheme doesn't protect me against a compromised GPG key. |
| 39 |
|
| 40 |
|
| 41 |
> How do you know what sort of passphrase is used on it? |
| 42 |
|
| 43 |
I do not know. Instead, I trust the Gentoo developers to |
| 44 |
choose a sensible one because I know you guys are really |
| 45 |
smart and capable technicians. |
| 46 |
|
| 47 |
|
| 48 |
> Most importantly, how do you know when to stop? At some |
| 49 |
> point, you're going to have to accept some level of risk. |
| 50 |
|
| 51 |
Sorry, but I always get nervous when I am talking about a |
| 52 |
very specific technical problem and people answer with very |
| 53 |
general, philosophical thoughts. I _know_ that I have to |
| 54 |
trust someone sooner or later. But let's keep the number of |
| 55 |
people I have to trust as small as possible. |
| 56 |
|
| 57 |
Right now, I have to trust the entire network. I don't know |
| 58 |
about others, but that's slightly above the level of risk I |
| 59 |
am willing to accept. |
| 60 |
|
| 61 |
Peter |
| 62 |
|
| 63 |
|
| 64 |
-- |
| 65 |
gentoo-security@g.o mailing list |
Archives