| 1 |
On Mon, Nov 08, 2004 at 07:03:33PM +0100, Heiko Wundram wrote: |
| 2 |
> |
| 3 |
> 1. have a master "Gentoo" key, which is kept by the Gentoo RelEng, which only |
| 4 |
> signs other keys and a list of keys removed from circulation, no ebuilds. |
| 5 |
> 2. have each developer create a keypair for themselves, send their public key |
| 6 |
> to the RelEng via some form of _safe_ channel (this is important), and have |
| 7 |
> the RelEng send back the signed key to the developer. |
| 8 |
> 3. have each developer sign his/her packages with their own key. |
| 9 |
|
| 10 |
|
| 11 |
This is the right approach in my opinion. |
| 12 |
|
| 13 |
1 master key, that signs Gentoo dev keys. Keep it very secure, and make sure that isn't comprimised. |
| 14 |
Gentoo devs sign the ebuilds that they commit. |
| 15 |
|
| 16 |
It solves a problem - a big problem - namely authenticity and integrity of ebuilds from the gentoo developers machine to my machine. |
| 17 |
The method for getting the ebuilds to me doesn't have to change at all. |
| 18 |
|
| 19 |
It doesn't, and nothing can, stop a rogue developer, or the person that actually writes the application/package from tainting the package, although it would stop anyone changing the package **after** the ebuild was written. |
| 20 |
|
| 21 |
Maybe make all the current developer keys a part of the protage sync. |
| 22 |
|
| 23 |
|
| 24 |
I think everyone that has posted to this list is trying to help - we all want Gentoo to be as secure as it can be. We all have to trust someone eventually. Signed ebuilds would mean that we didn't need to trust any part of the infrastructure from the Gentoo developer machines to our machines. |
| 25 |
|
| 26 |
|
| 27 |
Calum |
| 28 |
|
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives