1 |
On 02/28/2017 12:05 PM, Miroslav Rovis wrote: |
2 |
|
3 |
> On 170227-21:59-0500, Rich Freeman wrote: |
4 |
>> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
5 |
>> <miro.rovis@××××××××××××××.hr> wrote: |
6 |
>>> Apologies for my not being able to reply sooner! |
7 |
>>> |
8 |
>>> On 170227-18:18+0300, Andrew Savchenko wrote: |
9 |
>>> |
10 |
>>>>> And via a new private big business, the Github. Giving over all users to |
11 |
>>>>> big Github brother. |
12 |
>>>> ??? |
13 |
>>>> Github is entirely optional and is only for those who want to use it |
14 |
>>>> (we have both users and devs willing so), but in no way anyone |
15 |
>>>> demands its usage. |
16 |
>>> Yeah! Still, it would be great if git was used in distributed way, and |
17 |
>>> not from a central private business... |
18 |
>>> |
19 |
>> Git can pretty-much ONLY be used in a distributed way. |
20 |
> Correct, in that sense. But I didn't express clearly what I meant. |
21 |
> |
22 |
> I really meant in this sense (invented quotations in this paragraph): |
23 |
>> Git was intended for everyone to run their own little git server and |
24 |
>> pull from each other. Git was NOT invented for centralized commercial |
25 |
>> social networking clouds such as github! |
26 |
> That was from: |
27 |
> https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet |
28 |
> |
29 |
>> In the sync |
30 |
>> workflow github is basically just a mirror. A lot of our mirrors are |
31 |
>> run by private businesses, and nobody knows what OS they're even |
32 |
>> hosted on, let alone whether the firmware and CPU microcode are FOSS |
33 |
>> along with their hard drive firmware. |
34 |
> I understand that. And I support any honess business. What I hate is |
35 |
> examples like Google, Oracle, Microsoft, IBM is a little more honest, I |
36 |
> think... The few at the control of those ruined so much in computing and |
37 |
> the internet. |
38 |
> |
39 |
> GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially |
40 |
> and philosophically. |
41 |
> |
42 |
>> As far as distribution goes I think github is the wrong thing to worry |
43 |
>> about. What you want is traceable signatures from dev to user. Once |
44 |
>> you have that you can download from an NSA mirror and there shouldn't |
45 |
>> be any risk. All a mirror does is replicate data, and if |
46 |
>> modifications are detectable the worst they can do is a DoS. |
47 |
> I see. |
48 |
>> Most of the concerns that people tend to have with github is that you |
49 |
>> can become dependent on them for issue and pull request tracking and |
50 |
>> then if they decide to pull the plug you lose all that data. We try |
51 |
>> to minimize the use of these features and not make it a core part of |
52 |
>> the dev workflow. |
53 |
> Good practice! |
54 |
> |
55 |
>> But, we do use pull requests and in theory we could |
56 |
>> lose those someday. The actual code itself gets pushed to the Gentoo |
57 |
>> infra Repo from a developer's box using plain old git after they've |
58 |
>> inspected/tested/etc it. So, there isn't really any way for Github to |
59 |
>> go injecting commits into the repositories we actually use. I guess |
60 |
>> they could do it for anybody using our github mirrors on the |
61 |
>> distribution side, but that's only because we don't have that all |
62 |
>> locked down and the same issue applies with any other mirror (rsync, |
63 |
>> etc). Again, you really need end-to-end signature checking to make |
64 |
>> any of these things truly safe. |
65 |
> Absolutely! I did figure that out since long! |
66 |
>> -- |
67 |
>> Rich |
68 |
>> |
69 |
> And what I've spent some time doing today, is figuring out about the |
70 |
> info that I finally got from you people! |
71 |
> |
72 |
> About time! My rattling was all about whether there was or wasn't a way |
73 |
> to do what is still in the title of that mail that I linked to, and gave |
74 |
> Message-ID of, to do this: |
75 |
> |
76 |
> Is it safe to switch from webrsync to the git repo now? |
77 |
> |
78 |
> And finally Andrew Shavchenko pointed me to gkeys ! |
79 |
> |
80 |
> Here's the answer to my query (ah, just the beginning of, my |
81 |
> implementation of it will take time): |
82 |
> |
83 |
> emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen |
84 |
> |
85 |
> # equery f gkeys-gen |
86 |
> ... |
87 |
> /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
88 |
> ... |
89 |
> |
90 |
> ( |
91 |
> NOTE: The: |
92 |
> /usr/share/doc/gkeys-0.2/README.md.bz2 |
93 |
> of the gkeys package is identical. |
94 |
> ) |
95 |
> |
96 |
> # bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
97 |
> |
98 |
> Gentoo Keys |
99 |
> ----------- |
100 |
> |
101 |
> ### About |
102 |
> |
103 |
> Gentoo Keys is a Python based project that aims to manage the GPG keys used |
104 |
> for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able |
105 |
> to verify GPG keys used for Gentoo's release media, such as installation CD's, |
106 |
> Live DVD's, packages and other GPG signed documents. It will also be used by |
107 |
> Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git |
108 |
> migration of the main CVS tree. |
109 |
> |
110 |
> ### License |
111 |
> |
112 |
> Gentoo Keys is under GPL-2 License |
113 |
> # |
114 |
> |
115 |
> But do I read this correctly?: |
116 |
> |
117 |
> ...Gentoo Keys will be able |
118 |
> to verify GPG keys used for Gentoo's release media, such as installation CD's, |
119 |
> Live DVD's, packages and other GPG signed documents. |
120 |
> |
121 |
> Again, about this (syntactical) object (in the sentence), with other |
122 |
> objects removed: |
123 |
> |
124 |
> ...Gentoo Keys will be able |
125 |
> to verify GPG keys used for ... |
126 |
> ... packages... |
127 |
> |
128 |
> Does that mean what I read? That with gkeys any user will be able to get |
129 |
> packages via git, and somehow automatically gpg -verify the signature of |
130 |
> each package that (s)he got when (s)he, say: |
131 |
> |
132 |
> emerge -tuDN world |
133 |
> |
134 |
> ? |
135 |
> |
136 |
> Does that mean that? |
137 |
> |
138 |
> And then, to achieve true verifiability in the open (machine connected |
139 |
> to online, and doing emerge'ing), you know what is still left to be |
140 |
> done? This: |
141 |
> |
142 |
> Write TLS session keys to $SSLKEYLOGFILE #11614 |
143 |
> https://github.com/rg3/youtube-dl/issues/11614#issuecomment-271064602 |
144 |
> |
145 |
> ( of course, apply that to git, just the way it has been, and that's so |
146 |
> beautiful to me, applied to wget, kudos to wget maintainer Giuseppe |
147 |
> Scrivano! IIRC his name ) |
148 |
> |
149 |
> There's no encryption on me, behind my back, in my machine that I can |
150 |
> allow and believe it's fine. No way. It must be allowed by me, asked of |
151 |
> me, and decryptable for me! |
152 |
> |
153 |
> ( I decided to go without dbus in my life after this happened, behind my |
154 |
> back, with my Debian installation: |
155 |
> |
156 |
> How to avoid stealth installation of systemd? |
157 |
> http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566 |
158 |
> |
159 |
> PASTING, so readers get a feel about it: |
160 |
> |
161 |
> $ ps aux | grep ssh |
162 |
> root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd |
163 |
> mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager |
164 |
> mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh |
165 |
> |
166 |
> PASTED. |
167 |
> ) |
168 |
> |
169 |
> But, I already spent on this more than I can if I am not to lose track |
170 |
> on other things that I'm now doing (related to virtualization). Will |
171 |
> have to leave this issue very soon now, else I'll have to go over from |
172 |
> scratch in that other work... |
173 |
> |
174 |
> Thanks, Rich! |
175 |
> |
176 |
> So, do I read those gkeys/gkeys-gen READMEs correctly? |
177 |
> |
178 |
> Regards! |
179 |
> |
180 |
It is possible to have a reasonably secure system where the hard drive |
181 |
firmware (or any other devices) can't fuck around with the stuff on |
182 |
disk, although I highly doubt that the gentoo infrastructure (and |
183 |
kernel.org, and all the source repos for all the other software) does this |
184 |
|
185 |
One way is to use a blob-free coreboot IOMMU supporting board and |
186 |
bootstrap the crypto/kernel off of the board firmware EEPROM chip to |
187 |
load the initial kernel thus no plaintext touches the disk and thus |
188 |
nothing can mess with it. |
189 |
|
190 |
The IOMMU (theoretically) protects the CPU and memory from rogue |
191 |
devices, such as the hard drive. |
192 |
|
193 |
In terms of ethics IBM *for now* is a way better company than Intel/AMD, |
194 |
their POWER servers are owner controlled as there isn't any boot |
195 |
guard/secure boot/management engine/platform "security" processor (amd's |
196 |
ME) to stop you from re-writing the firmware as you please. They also |
197 |
have an getting-there-almost-reasonable open source effort (OpenPOWER) |
198 |
|
199 |
You can buy a TYAN OpenPOWER8 "Palmetto" (100% FOSS out of the box, |
200 |
although not that powerful) or an IBM POWER8 S822 "Firestone" (very |
201 |
powerful) which needs only a small amount of final work to be open sourced. |
202 |
|
203 |
IBM's POWER8 has a supervisor processor, although it is owner controlled |
204 |
(the key difference) unlike ME/PSP. |
205 |
|
206 |
It is a shame that TALOS (POWER workstation board) never went anywhere, |
207 |
it seems the linux community won't care about real freedom - right up |
208 |
until microsoft finally locks us out for good and it is too late to do |
209 |
anything about it. |
210 |
|
211 |
https://www.coreboot.org/Board_freedom_levels |