| 1 |
Marius Mauch writes: |
| 2 |
|
| 3 |
>> (1) Run "find /usr/portage -type f | xargs sha1sum -b" |
| 4 |
>> on the Gentoo main system. |
| 5 |
|
| 6 |
> What's the 'Gentoo main system'? |
| 7 |
|
| 8 |
The one that carries the authoritative portage tree which |
| 9 |
the secondary systems mirror. |
| 10 |
|
| 11 |
|
| 12 |
>> (2) Sign the output with GPG. |
| 13 |
|
| 14 |
> Who does that? |
| 15 |
|
| 16 |
A script? I already commented on the problem of entering the |
| 17 |
pass phrase, so I won't repeat it. |
| 18 |
|
| 19 |
|
| 20 |
> Basically we do that already with Manifests, just that |
| 21 |
> they don't cover the whole tree (yet). |
| 22 |
|
| 23 |
Right. And the fact that they don't cover the whole tree is |
| 24 |
exactly the problem I am talking about. |
| 25 |
|
| 26 |
|
| 27 |
> signing of eclasses/profiles isn't done because of policy |
| 28 |
> details |
| 29 |
|
| 30 |
How long do you estimate will it take to get these problems |
| 31 |
sorted out? |
| 32 |
|
| 33 |
|
| 34 |
> But signature verification is a completely different |
| 35 |
> beast. |
| 36 |
|
| 37 |
The signatures have to be verified manually anyway, at least |
| 38 |
initially. So I am fine with Portage not doing it for me as |
| 39 |
long as the signatures _exist_. |
| 40 |
|
| 41 |
|
| 42 |
> You want to make a huge list with checksums for all files |
| 43 |
> and then sign that file. The major problem is that a) |
| 44 |
> this list would have to be regenerated at every commit or |
| 45 |
> at least each rsync update, |
| 46 |
|
| 47 |
You can use the CVSROOT/* hooks to regenerate only the |
| 48 |
hashes for those files that have actually changed. And that |
| 49 |
"huge" file is more like 7 MB. |
| 50 |
|
| 51 |
|
| 52 |
> b) signing would have to be automated which is pretty |
| 53 |
> much a no-go |
| 54 |
|
| 55 |
It is a lot better than not signing at all, IMHO. I also |
| 56 |
commented on this before, so I won't repeat it. |
| 57 |
|
| 58 |
|
| 59 |
> c) it would have to be done on the cvs server or the |
| 60 |
> master rsync mirror, both are AFAIK already pretty loaded |
| 61 |
> boxes. |
| 62 |
|
| 63 |
Hashes can be regenerated incrementally; creating the |
| 64 |
signature takes less than a second. Any decent system should |
| 65 |
be able to survive that, IMHO. Should this turn out to be |
| 66 |
absolutely *impossible*, then I guess you'll need a hardware |
| 67 |
upgrade no matter what kind of authentication scheme you |
| 68 |
would like to implement. |
| 69 |
|
| 70 |
|
| 71 |
> the rsync update interval is 30 minutes and other actions |
| 72 |
> have to be performed in that window that probably |
| 73 |
> interfere with the checksum generation. |
| 74 |
|
| 75 |
On my machine, which is not very fast at all, the entire |
| 76 |
hash file can be regenerated from the scratch in about 4 |
| 77 |
minutes. So even if it takes 10 minutes on the Gentoo |
| 78 |
system, that still leaves plenty of time for the other |
| 79 |
tasks. It does require some attention to detail that these |
| 80 |
processes don't interfere with each other, though. I guess |
| 81 |
one would have to _try_ it. |
| 82 |
|
| 83 |
Peter |
| 84 |
|
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-security@g.o mailing list |
Archives