Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] SHA-1 has just been broken
Date: Tue, 28 Feb 2017 02:59:31
Message-Id: CAGfcS_nGNpBnMzfPvEhAX0ey2erN5e078UL2aDovKx7d57pmsw@mail.gmail.com
In Reply to: Re: [gentoo-user] SHA-1 has just been broken by Miroslav Rovis
1 On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis
2 <miro.rovis@××××××××××××××.hr> wrote:
3 > Apologies for my not being able to reply sooner!
4 >
5 > On 170227-18:18+0300, Andrew Savchenko wrote:
6 >
7 >> > And via a new private big business, the Github. Giving over all users to
8 >> > big Github brother.
9 >>
10 >> ???
11 >> Github is entirely optional and is only for those who want to use it
12 >> (we have both users and devs willing so), but in no way anyone
13 >> demands its usage.
14 > Yeah! Still, it would be great if git was used in distributed way, and
15 > not from a central private business...
16 >
17
18 Git can pretty-much ONLY be used in a distributed way. In the sync
19 workflow github is basically just a mirror. A lot of our mirrors are
20 run by private businesses, and nobody knows what OS they're even
21 hosted on, let alone whether the firmware and CPU microcode are FOSS
22 along with their hard drive firmware.
23
24 As far as distribution goes I think github is the wrong thing to worry
25 about. What you want is traceable signatures from dev to user. Once
26 you have that you can download from an NSA mirror and there shouldn't
27 be any risk. All a mirror does is replicate data, and if
28 modifications are detectable the worst they can do is a DoS.
29
30 Most of the concerns that people tend to have with github is that you
31 can become dependent on them for issue and pull request tracking and
32 then if they decide to pull the plug you lose all that data. We try
33 to minimize the use of these features and not make it a core part of
34 the dev workflow. But, we do use pull requests and in theory we could
35 lose those someday. The actual code itself gets pushed to the Gentoo
36 infra Repo from a developer's box using plain old git after they've
37 inspected/tested/etc it. So, there isn't really any way for Github to
38 go injecting commits into the repositories we actually use. I guess
39 they could do it for anybody using our github mirrors on the
40 distribution side, but that's only because we don't have that all
41 locked down and the same issue applies with any other mirror (rsync,
42 etc). Again, you really need end-to-end signature checking to make
43 any of these things truly safe.
44
45 --
46 Rich

Replies

Subject Author
Re: [gentoo-user] SHA-1 has just been broken Miroslav Rovis <miro.rovis@××××××××××××××.hr>