| 1 |
@Rich thanks for taking the time to formulate that in-depth response. |
| 2 |
Appreciated. |
| 3 |
|
| 4 |
-d |
| 5 |
|
| 6 |
------ Original Message ------ |
| 7 |
From: "Rich Freeman" <rich0@g.o> |
| 8 |
To: gentoo-user@l.g.o |
| 9 |
Sent: 2018-07-06 14:20:54 |
| 10 |
Subject: Re: Re[4]: [gentoo-user] Re: Portage, git and shallow cloning |
| 11 |
|
| 12 |
>On Fri, Jul 6, 2018 at 7:57 AM Davyd McColl <davydm@×××××.com> wrote: |
| 13 |
>> |
| 14 |
>>@Rich: if I understand the process correctly, the same commits are |
| 15 |
>>pushed to infra and GitHub by the CI bot? |
| 16 |
>> |
| 17 |
> |
| 18 |
>I'm pretty sure the repos are identical (well, aside from whatever |
| 19 |
>order they're updated in). |
| 20 |
> |
| 21 |
>>I ask because prior to the GitHub incident, I didn't have signature |
| 22 |
>>verification enabled (I hadn't read about it and it didn't even occur |
| 23 |
>>to |
| 24 |
>>me). So my plan was to (whilst GitHub was being sorted out) switch to |
| 25 |
>>the gentoo git repo and enable verification and, once I'd seen that |
| 26 |
>>that |
| 27 |
>>was working (because I'd also seen intermediate emails on this list |
| 28 |
>>from |
| 29 |
>>people having issues getting signing keys working), perhaps switch |
| 30 |
>>back |
| 31 |
>>to GitHub to put less strain on the Gentoo servers. |
| 32 |
> |
| 33 |
>I never had issues with the signing keys, but git syncing works |
| 34 |
>differently from webrsync (which makes those threads a bit of a mess |
| 35 |
>as you have people offering advice to people using a different sync |
| 36 |
>method). It is probably best to view them as completely different |
| 37 |
>implementations, though I'm sure they have elements in common. |
| 38 |
> |
| 39 |
>Biggest issue with git signature verification is that right now it |
| 40 |
>will still do a full pull/checkout before verifying, which means that |
| 41 |
>if it fails you still have a bad /usr/portage (you get an error, but |
| 42 |
>that's it, and subsequent emerge commands will act on the bad repo). |
| 43 |
>For that reason alone it might be best to stick with infra's version |
| 44 |
>until the patch makes its way into release (the patch will do a fetch |
| 45 |
>and verify before it does a checkout, so while you might have bad git |
| 46 |
>commits in the history the actual contents of /usr/portage will be |
| 47 |
>known-good unless you go manually running git commands without doing |
| 48 |
>your own verification). |
| 49 |
> |
| 50 |
>Now, in the recent attack a git sync would still have been safe |
| 51 |
>because the attacker was dumb and did a force push, which will make |
| 52 |
>git complain loudly if you try to pull (unless you stick --force in |
| 53 |
>your pull, which probably isn't a great idea for scripts and portage |
| 54 |
>doesn't do this). But, that was just dumb luck because a smart |
| 55 |
>attacker would have rebased the nefarious commits so that they'd |
| 56 |
>seamlessly pull. Really the attack was more of a defacement than |
| 57 |
>anything as they made a bunch of mistakes that showed they weren't |
| 58 |
>very serious, but any wakeup call is worth acting on. |
| 59 |
> |
| 60 |
>>So if the same commits are just pushed to two remotes (gentoo and |
| 61 |
>>GitHub), then I should (in theory) be able to change my repo.conf |
| 62 |
>>settings, fiddle the remote in /usr/portage, and switch seamlessly |
| 63 |
>>from |
| 64 |
>>gentoo to GitHub? Alternatively, I could start with a clean |
| 65 |
>>/usr/portage |
| 66 |
>>again, once I'm happy that I have signature verification working on my |
| 67 |
>>machine. |
| 68 |
> |
| 69 |
>As far as I can tell if you edit the repo URL in repos.conf and |
| 70 |
>probably also .git/config it should just seamlessly work, but I |
| 71 |
>haven't tried it. Since it only accepts fast-forward pulls it |
| 72 |
>shouldn't do anything if the histories don't match. If you do a sync |
| 73 |
>immediately before/after the change maybe you'll find that one repo is |
| 74 |
>behind the other and you just won't get any updates until the new repo |
| 75 |
>catches up, but I don't think portage will revert anything (that is an |
| 76 |
>advantage of git - it has a concept of directionality, though it looks |
| 77 |
>like portage is looking to add support to prevent replay attacks with |
| 78 |
>rsync as well). |
| 79 |
> |
| 80 |
>>I do sync frequently (I'm a bit of an update enthusiast) -- at least |
| 81 |
>>once a week, though I prefer more often as I find that the longer I |
| 82 |
>>leave between syncs and world-updates, the more effort I have to |
| 83 |
>>overcome issues (few though they are). So git is a better fit for me, |
| 84 |
>>I |
| 85 |
>>think. |
| 86 |
> |
| 87 |
>Honestly, I think git is a good fit for a lot of Gentoo users. Yes, |
| 88 |
>it is different, but all the history/etc is the sort of thing I think |
| 89 |
>would appeal to many here. Also, git is something that is becoming |
| 90 |
>increasingly unavoidable, and mostly for reasons that have universal |
| 91 |
>appeal. Once you grok it you'll be using it everywhere. |
| 92 |
> |
| 93 |
>Security is obviously getting a renewed focus across the board, so I |
| 94 |
>think we'll see improvements no matter how you use Gentoo, ideally |
| 95 |
>using defaults (for whatever reason git sig checking isn't a default |
| 96 |
>today). Besides improving verification on the end-user side there is |
| 97 |
>also a lot of interest in improving security on the developer side, |
| 98 |
>and with infra (hardware tokens, maybe E2E signature checking, etc). |
| 99 |
>As usual this involves a certain amount of debate (authentication |
| 100 |
>isn't actually all that easy of a problem). |
| 101 |
> |
| 102 |
> |
| 103 |
>-- |
| 104 |
>Rich |
| 105 |
> |
Archives