1 |
On 08 Nov 2004 18:17:19 +0100 |
2 |
Peter Simons <simons@××××.to> wrote: |
3 |
|
4 |
> Dan Margolis writes: |
5 |
> |
6 |
> > [the Gentoo security process is] designed solely to |
7 |
> > promote the absolute best security we can offer, never to |
8 |
> > save face or gain marketshare. |
9 |
> |
10 |
> Good. I have a proposal how to the security of the |
11 |
> distribution could be enhanced by a bit. I have posted it 4 |
12 |
> times by now. It would be way cool if the proposal would |
13 |
> find entry into the Gentoo security process so that a rather |
14 |
> fundamental problem in the distribution process can be |
15 |
> fixed. If there is a better way of doing things than what I |
16 |
> have suggested, then I am all ears. Doing nothing, however, |
17 |
> is not an answer I am prepared to accept and as of now I |
18 |
> have no indication that this problem is being solved or even |
19 |
> taken seriously. |
20 |
|
21 |
The problem is that your proposal doesn't work for Gentoo as it's way |
22 |
to centralized. You want to make a huge list with checksums for all |
23 |
files and then sign that file. The major problem is that a) this list |
24 |
would have to be regenerated at every commit or at least each rsync |
25 |
update, b) signing would have to be automated which is pretty much a |
26 |
no-go and c) it would have to be done on the cvs server or the master |
27 |
rsync mirror, both are AFAIK already pretty loaded boxes. FYI: the rsync |
28 |
update interval is 30 minutes and other actions have to be performed in |
29 |
that window that probably interfere with the checksum generation. |
30 |
|
31 |
Marius |
32 |
|
33 |
-- |
34 |
Public Key at http://www.genone.de/info/gpg-key.pub |
35 |
|
36 |
In the beginning, there was nothing. And God said, 'Let there be |
37 |
Light.' And there was still nothing, but you could see a bit better. |