| 1 |
On 08 Nov 2004 18:17:19 +0100 |
| 2 |
Peter Simons <simons@××××.to> wrote: |
| 3 |
|
| 4 |
> Dan Margolis writes: |
| 5 |
> |
| 6 |
> > [the Gentoo security process is] designed solely to |
| 7 |
> > promote the absolute best security we can offer, never to |
| 8 |
> > save face or gain marketshare. |
| 9 |
> |
| 10 |
> Good. I have a proposal how to the security of the |
| 11 |
> distribution could be enhanced by a bit. I have posted it 4 |
| 12 |
> times by now. It would be way cool if the proposal would |
| 13 |
> find entry into the Gentoo security process so that a rather |
| 14 |
> fundamental problem in the distribution process can be |
| 15 |
> fixed. If there is a better way of doing things than what I |
| 16 |
> have suggested, then I am all ears. Doing nothing, however, |
| 17 |
> is not an answer I am prepared to accept and as of now I |
| 18 |
> have no indication that this problem is being solved or even |
| 19 |
> taken seriously. |
| 20 |
|
| 21 |
The problem is that your proposal doesn't work for Gentoo as it's way |
| 22 |
to centralized. You want to make a huge list with checksums for all |
| 23 |
files and then sign that file. The major problem is that a) this list |
| 24 |
would have to be regenerated at every commit or at least each rsync |
| 25 |
update, b) signing would have to be automated which is pretty much a |
| 26 |
no-go and c) it would have to be done on the cvs server or the master |
| 27 |
rsync mirror, both are AFAIK already pretty loaded boxes. FYI: the rsync |
| 28 |
update interval is 30 minutes and other actions have to be performed in |
| 29 |
that window that probably interfere with the checksum generation. |
| 30 |
|
| 31 |
Marius |
| 32 |
|
| 33 |
-- |
| 34 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 35 |
|
| 36 |
In the beginning, there was nothing. And God said, 'Let there be |
| 37 |
Light.' And there was still nothing, but you could see a bit better. |
Archives