1 |
Marius Mauch writes: |
2 |
|
3 |
>> (1) Run "find /usr/portage -type f | xargs sha1sum -b" |
4 |
>> on the Gentoo main system. |
5 |
|
6 |
> What's the 'Gentoo main system'? |
7 |
|
8 |
The one that carries the authoritative portage tree which |
9 |
the secondary systems mirror. |
10 |
|
11 |
|
12 |
>> (2) Sign the output with GPG. |
13 |
|
14 |
> Who does that? |
15 |
|
16 |
A script? I already commented on the problem of entering the |
17 |
pass phrase, so I won't repeat it. |
18 |
|
19 |
|
20 |
> Basically we do that already with Manifests, just that |
21 |
> they don't cover the whole tree (yet). |
22 |
|
23 |
Right. And the fact that they don't cover the whole tree is |
24 |
exactly the problem I am talking about. |
25 |
|
26 |
|
27 |
> signing of eclasses/profiles isn't done because of policy |
28 |
> details |
29 |
|
30 |
How long do you estimate will it take to get these problems |
31 |
sorted out? |
32 |
|
33 |
|
34 |
> But signature verification is a completely different |
35 |
> beast. |
36 |
|
37 |
The signatures have to be verified manually anyway, at least |
38 |
initially. So I am fine with Portage not doing it for me as |
39 |
long as the signatures _exist_. |
40 |
|
41 |
|
42 |
> You want to make a huge list with checksums for all files |
43 |
> and then sign that file. The major problem is that a) |
44 |
> this list would have to be regenerated at every commit or |
45 |
> at least each rsync update, |
46 |
|
47 |
You can use the CVSROOT/* hooks to regenerate only the |
48 |
hashes for those files that have actually changed. And that |
49 |
"huge" file is more like 7 MB. |
50 |
|
51 |
|
52 |
> b) signing would have to be automated which is pretty |
53 |
> much a no-go |
54 |
|
55 |
It is a lot better than not signing at all, IMHO. I also |
56 |
commented on this before, so I won't repeat it. |
57 |
|
58 |
|
59 |
> c) it would have to be done on the cvs server or the |
60 |
> master rsync mirror, both are AFAIK already pretty loaded |
61 |
> boxes. |
62 |
|
63 |
Hashes can be regenerated incrementally; creating the |
64 |
signature takes less than a second. Any decent system should |
65 |
be able to survive that, IMHO. Should this turn out to be |
66 |
absolutely *impossible*, then I guess you'll need a hardware |
67 |
upgrade no matter what kind of authentication scheme you |
68 |
would like to implement. |
69 |
|
70 |
|
71 |
> the rsync update interval is 30 minutes and other actions |
72 |
> have to be performed in that window that probably |
73 |
> interfere with the checksum generation. |
74 |
|
75 |
On my machine, which is not very fast at all, the entire |
76 |
hash file can be regenerated from the scratch in about 4 |
77 |
minutes. So even if it takes 10 minutes on the Gentoo |
78 |
system, that still leaves plenty of time for the other |
79 |
tasks. It does require some attention to detail that these |
80 |
processes don't interfere with each other, though. I guess |
81 |
one would have to _try_ it. |
82 |
|
83 |
Peter |
84 |
|
85 |
|
86 |
-- |
87 |
gentoo-security@g.o mailing list |