| 1 |
Kurt Lieber writes: |
| 2 |
|
| 3 |
> I can easily use the same flawed logic and say, "well, |
| 4 |
> none of our users ever bothered to submit patches to |
| 5 |
> portage to implement GPG signing, so it must not be |
| 6 |
> important to them." |
| 7 |
|
| 8 |
I think it is important to stress that everybody is on the |
| 9 |
same side here. The important thing right now is how to |
| 10 |
_fix_ this problem. As I see it, the simplest possible |
| 11 |
solution is this: |
| 12 |
|
| 13 |
(1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
| 14 |
the Gentoo main system. |
| 15 |
|
| 16 |
(2) Sign the output with GPG. |
| 17 |
|
| 18 |
(3) Put it into the portage tree. |
| 19 |
|
| 20 |
(4) If the user has GPG installed and has manually put the |
| 21 |
appropriate public key in some place _outside_ of the |
| 22 |
portage tree, have "emerge sync" verify that the |
| 23 |
signature is intact and all hashes hold. |
| 24 |
|
| 25 |
Done. |
| 26 |
|
| 27 |
This is by no means perfect, obviously. But even if it means |
| 28 |
that a dozen people have access to the secret key that |
| 29 |
generates the signature, it is still a lot better than the |
| 30 |
current situation. |
| 31 |
|
| 32 |
Peter |
| 33 |
|
| 34 |
|
| 35 |
-- |
| 36 |
gentoo-security@g.o mailing list |
Archives