1 |
On Sat, Jul 7, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
2 |
> |
3 |
> Rich Freeman <rich0@g.o> wrote: |
4 |
> > |
5 |
> > Biggest issue with git signature verification is that right now it |
6 |
> > will still do a full pull/checkout before verifying |
7 |
> |
8 |
> Biggest issue is that git signature happens by the developer who |
9 |
> last commited which means that in practice you need dozens/hundreds |
10 |
> of keys. |
11 |
|
12 |
This is untrue. The last git signature is made by infra or the |
13 |
CI-bot, and this is the signature that portage checks. |
14 |
|
15 |
Portage will NOT accept a developer key, or any other key in your |
16 |
keychain, as being valid. |
17 |
|
18 |
It will, of course, not work on the regular git repo used for |
19 |
committing for this reason. You need to use a repo that is signed by |
20 |
infra (which typically includes metadata/etc as well). |
21 |
|
22 |
I'll trim most of the rest of your email and only reply to significant |
23 |
bits, because you seem to not understand the point above which |
24 |
invalidates almost everything you wrote. The concerns you raise would |
25 |
be an issue if you were checking individual developer keys. |
26 |
|
27 |
> |
28 |
> So currently, it is impossible to do *any* automatic tree verification, |
29 |
> unless you manually fetch/update all of the developer keys. |
30 |
> |
31 |
|
32 |
As noted, you don't need to fetch any developer keys, and if you do |
33 |
fetch them, portage will ignore them. |
34 |
|
35 |
> |
36 |
> > unless you stick --force in your pull |
37 |
> |
38 |
> Unfortunately, it is not that simple: git pull --force only works if |
39 |
> the checked out tree is old enough (in which case git pull without --force |
40 |
> would have worked also, BTW). |
41 |
|
42 |
You completely trimmed the context around my quote. I was talking |
43 |
about the malicious commits in the recent attack. They were |
44 |
force-pushed, so it doesn't matter how complete your repository is - |
45 |
they simply would not be pulled without --force. |
46 |
|
47 |
You seem to be providing advice for how to do a pull with a shallow |
48 |
repository, which I'm not talking about. |
49 |
|
50 |
> > Honestly, I think git is a good fit for a lot of Gentoo users. |
51 |
> |
52 |
> At least since the ChangeLogs have been removed. |
53 |
> IMHO it was the wrong decision to not keep them in the rsync tree |
54 |
> (The tool to regenerate them from git was/is available). |
55 |
|
56 |
Changelogs are redundant with git, and they take a ton of space (which |
57 |
of late everybody seems to be super-concerned about). I don't get |
58 |
that on one hand people get twitchy about /usr/portage taking more |
59 |
than 1GB, and on the other hand they want a bazillion text files |
60 |
dumped all over the place, and as a bonus they want them prepended to |
61 |
instead of appended so that rsync resends the whole thing instead of |
62 |
just the tail... |
63 |
|
64 |
But, this was endlessly debated before the decision was made. Trust |
65 |
me, I read every post before voting to have them removed. |
66 |
|
67 |
> |
68 |
> > it is different, but all the history/etc is the sort of thing I think |
69 |
> > would appeal to many here. |
70 |
> |
71 |
> Having the ChangeLogs would certainly be sufficient for the majority |
72 |
> of users. It is very rare that a user really needs to access the |
73 |
> older version of the file, and in that case it is simple enough |
74 |
> to fetch it manually from e.g. github. |
75 |
|
76 |
It is very rare that somebody would want to use Gentoo at all. My |
77 |
point is that the sorts of people who like Gentoo would probably tend |
78 |
to like git. But, to each their own... |
79 |
|
80 |
> |
81 |
> > Security is obviously getting a renewed focus across the board |
82 |
> |
83 |
> Unfortunately, due to the mentioned keys problem, git is |
84 |
> currently the *unsafest* method for syncing. |
85 |
|
86 |
The "keys problem" has nothing to do with the security of git |
87 |
verification, because those keys are not used by git verification on |
88 |
the end-user side. An infra-controlled key is used for verification |
89 |
whether you sync with git or rsync. Either way you're relying on |
90 |
infra checking the developer keys at time of commit. |
91 |
|
92 |
Now, as I already mentioned git syncing is currently less safe due to |
93 |
it doing the checkout before the verification, and they are in the |
94 |
process of fixing this. |
95 |
|
96 |
> (BTW, due to the number of committers the portage tree has a quite |
97 |
> strict policy w.r.t. forced pushes. Overlays, especially of single |
98 |
> users, might have different policies and thus can fail quite often |
99 |
> due to the "git pull" bug.) |
100 |
|
101 |
It probably should be a configurable option in repos.conf, but |
102 |
honestly, forced pushes are not something that should be considered a |
103 |
good practice. There are times that it is the best option, but those |
104 |
are rare, IMO. |
105 |
|
106 |
-- |
107 |
Rich |