| 1 |
On Sat, Jul 7, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
| 2 |
> |
| 3 |
> Rich Freeman <rich0@g.o> wrote: |
| 4 |
> > |
| 5 |
> > Biggest issue with git signature verification is that right now it |
| 6 |
> > will still do a full pull/checkout before verifying |
| 7 |
> |
| 8 |
> Biggest issue is that git signature happens by the developer who |
| 9 |
> last commited which means that in practice you need dozens/hundreds |
| 10 |
> of keys. |
| 11 |
|
| 12 |
This is untrue. The last git signature is made by infra or the |
| 13 |
CI-bot, and this is the signature that portage checks. |
| 14 |
|
| 15 |
Portage will NOT accept a developer key, or any other key in your |
| 16 |
keychain, as being valid. |
| 17 |
|
| 18 |
It will, of course, not work on the regular git repo used for |
| 19 |
committing for this reason. You need to use a repo that is signed by |
| 20 |
infra (which typically includes metadata/etc as well). |
| 21 |
|
| 22 |
I'll trim most of the rest of your email and only reply to significant |
| 23 |
bits, because you seem to not understand the point above which |
| 24 |
invalidates almost everything you wrote. The concerns you raise would |
| 25 |
be an issue if you were checking individual developer keys. |
| 26 |
|
| 27 |
> |
| 28 |
> So currently, it is impossible to do *any* automatic tree verification, |
| 29 |
> unless you manually fetch/update all of the developer keys. |
| 30 |
> |
| 31 |
|
| 32 |
As noted, you don't need to fetch any developer keys, and if you do |
| 33 |
fetch them, portage will ignore them. |
| 34 |
|
| 35 |
> |
| 36 |
> > unless you stick --force in your pull |
| 37 |
> |
| 38 |
> Unfortunately, it is not that simple: git pull --force only works if |
| 39 |
> the checked out tree is old enough (in which case git pull without --force |
| 40 |
> would have worked also, BTW). |
| 41 |
|
| 42 |
You completely trimmed the context around my quote. I was talking |
| 43 |
about the malicious commits in the recent attack. They were |
| 44 |
force-pushed, so it doesn't matter how complete your repository is - |
| 45 |
they simply would not be pulled without --force. |
| 46 |
|
| 47 |
You seem to be providing advice for how to do a pull with a shallow |
| 48 |
repository, which I'm not talking about. |
| 49 |
|
| 50 |
> > Honestly, I think git is a good fit for a lot of Gentoo users. |
| 51 |
> |
| 52 |
> At least since the ChangeLogs have been removed. |
| 53 |
> IMHO it was the wrong decision to not keep them in the rsync tree |
| 54 |
> (The tool to regenerate them from git was/is available). |
| 55 |
|
| 56 |
Changelogs are redundant with git, and they take a ton of space (which |
| 57 |
of late everybody seems to be super-concerned about). I don't get |
| 58 |
that on one hand people get twitchy about /usr/portage taking more |
| 59 |
than 1GB, and on the other hand they want a bazillion text files |
| 60 |
dumped all over the place, and as a bonus they want them prepended to |
| 61 |
instead of appended so that rsync resends the whole thing instead of |
| 62 |
just the tail... |
| 63 |
|
| 64 |
But, this was endlessly debated before the decision was made. Trust |
| 65 |
me, I read every post before voting to have them removed. |
| 66 |
|
| 67 |
> |
| 68 |
> > it is different, but all the history/etc is the sort of thing I think |
| 69 |
> > would appeal to many here. |
| 70 |
> |
| 71 |
> Having the ChangeLogs would certainly be sufficient for the majority |
| 72 |
> of users. It is very rare that a user really needs to access the |
| 73 |
> older version of the file, and in that case it is simple enough |
| 74 |
> to fetch it manually from e.g. github. |
| 75 |
|
| 76 |
It is very rare that somebody would want to use Gentoo at all. My |
| 77 |
point is that the sorts of people who like Gentoo would probably tend |
| 78 |
to like git. But, to each their own... |
| 79 |
|
| 80 |
> |
| 81 |
> > Security is obviously getting a renewed focus across the board |
| 82 |
> |
| 83 |
> Unfortunately, due to the mentioned keys problem, git is |
| 84 |
> currently the *unsafest* method for syncing. |
| 85 |
|
| 86 |
The "keys problem" has nothing to do with the security of git |
| 87 |
verification, because those keys are not used by git verification on |
| 88 |
the end-user side. An infra-controlled key is used for verification |
| 89 |
whether you sync with git or rsync. Either way you're relying on |
| 90 |
infra checking the developer keys at time of commit. |
| 91 |
|
| 92 |
Now, as I already mentioned git syncing is currently less safe due to |
| 93 |
it doing the checkout before the verification, and they are in the |
| 94 |
process of fixing this. |
| 95 |
|
| 96 |
> (BTW, due to the number of committers the portage tree has a quite |
| 97 |
> strict policy w.r.t. forced pushes. Overlays, especially of single |
| 98 |
> users, might have different policies and thus can fail quite often |
| 99 |
> due to the "git pull" bug.) |
| 100 |
|
| 101 |
It probably should be a configurable option in repos.conf, but |
| 102 |
honestly, forced pushes are not something that should be considered a |
| 103 |
good practice. There are times that it is the best option, but those |
| 104 |
are rare, IMO. |
| 105 |
|
| 106 |
-- |
| 107 |
Rich |
Archives