1 |
@Rich thanks for taking the time to formulate that in-depth response. |
2 |
Appreciated. |
3 |
|
4 |
-d |
5 |
|
6 |
------ Original Message ------ |
7 |
From: "Rich Freeman" <rich0@g.o> |
8 |
To: gentoo-user@l.g.o |
9 |
Sent: 2018-07-06 14:20:54 |
10 |
Subject: Re: Re[4]: [gentoo-user] Re: Portage, git and shallow cloning |
11 |
|
12 |
>On Fri, Jul 6, 2018 at 7:57 AM Davyd McColl <davydm@×××××.com> wrote: |
13 |
>> |
14 |
>>@Rich: if I understand the process correctly, the same commits are |
15 |
>>pushed to infra and GitHub by the CI bot? |
16 |
>> |
17 |
> |
18 |
>I'm pretty sure the repos are identical (well, aside from whatever |
19 |
>order they're updated in). |
20 |
> |
21 |
>>I ask because prior to the GitHub incident, I didn't have signature |
22 |
>>verification enabled (I hadn't read about it and it didn't even occur |
23 |
>>to |
24 |
>>me). So my plan was to (whilst GitHub was being sorted out) switch to |
25 |
>>the gentoo git repo and enable verification and, once I'd seen that |
26 |
>>that |
27 |
>>was working (because I'd also seen intermediate emails on this list |
28 |
>>from |
29 |
>>people having issues getting signing keys working), perhaps switch |
30 |
>>back |
31 |
>>to GitHub to put less strain on the Gentoo servers. |
32 |
> |
33 |
>I never had issues with the signing keys, but git syncing works |
34 |
>differently from webrsync (which makes those threads a bit of a mess |
35 |
>as you have people offering advice to people using a different sync |
36 |
>method). It is probably best to view them as completely different |
37 |
>implementations, though I'm sure they have elements in common. |
38 |
> |
39 |
>Biggest issue with git signature verification is that right now it |
40 |
>will still do a full pull/checkout before verifying, which means that |
41 |
>if it fails you still have a bad /usr/portage (you get an error, but |
42 |
>that's it, and subsequent emerge commands will act on the bad repo). |
43 |
>For that reason alone it might be best to stick with infra's version |
44 |
>until the patch makes its way into release (the patch will do a fetch |
45 |
>and verify before it does a checkout, so while you might have bad git |
46 |
>commits in the history the actual contents of /usr/portage will be |
47 |
>known-good unless you go manually running git commands without doing |
48 |
>your own verification). |
49 |
> |
50 |
>Now, in the recent attack a git sync would still have been safe |
51 |
>because the attacker was dumb and did a force push, which will make |
52 |
>git complain loudly if you try to pull (unless you stick --force in |
53 |
>your pull, which probably isn't a great idea for scripts and portage |
54 |
>doesn't do this). But, that was just dumb luck because a smart |
55 |
>attacker would have rebased the nefarious commits so that they'd |
56 |
>seamlessly pull. Really the attack was more of a defacement than |
57 |
>anything as they made a bunch of mistakes that showed they weren't |
58 |
>very serious, but any wakeup call is worth acting on. |
59 |
> |
60 |
>>So if the same commits are just pushed to two remotes (gentoo and |
61 |
>>GitHub), then I should (in theory) be able to change my repo.conf |
62 |
>>settings, fiddle the remote in /usr/portage, and switch seamlessly |
63 |
>>from |
64 |
>>gentoo to GitHub? Alternatively, I could start with a clean |
65 |
>>/usr/portage |
66 |
>>again, once I'm happy that I have signature verification working on my |
67 |
>>machine. |
68 |
> |
69 |
>As far as I can tell if you edit the repo URL in repos.conf and |
70 |
>probably also .git/config it should just seamlessly work, but I |
71 |
>haven't tried it. Since it only accepts fast-forward pulls it |
72 |
>shouldn't do anything if the histories don't match. If you do a sync |
73 |
>immediately before/after the change maybe you'll find that one repo is |
74 |
>behind the other and you just won't get any updates until the new repo |
75 |
>catches up, but I don't think portage will revert anything (that is an |
76 |
>advantage of git - it has a concept of directionality, though it looks |
77 |
>like portage is looking to add support to prevent replay attacks with |
78 |
>rsync as well). |
79 |
> |
80 |
>>I do sync frequently (I'm a bit of an update enthusiast) -- at least |
81 |
>>once a week, though I prefer more often as I find that the longer I |
82 |
>>leave between syncs and world-updates, the more effort I have to |
83 |
>>overcome issues (few though they are). So git is a better fit for me, |
84 |
>>I |
85 |
>>think. |
86 |
> |
87 |
>Honestly, I think git is a good fit for a lot of Gentoo users. Yes, |
88 |
>it is different, but all the history/etc is the sort of thing I think |
89 |
>would appeal to many here. Also, git is something that is becoming |
90 |
>increasingly unavoidable, and mostly for reasons that have universal |
91 |
>appeal. Once you grok it you'll be using it everywhere. |
92 |
> |
93 |
>Security is obviously getting a renewed focus across the board, so I |
94 |
>think we'll see improvements no matter how you use Gentoo, ideally |
95 |
>using defaults (for whatever reason git sig checking isn't a default |
96 |
>today). Besides improving verification on the end-user side there is |
97 |
>also a lot of interest in improving security on the developer side, |
98 |
>and with infra (hardware tokens, maybe E2E signature checking, etc). |
99 |
>As usual this involves a certain amount of debate (authentication |
100 |
>isn't actually all that easy of a problem). |
101 |
> |
102 |
> |
103 |
>-- |
104 |
>Rich |
105 |
> |