From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28185 invoked by uid 1002); 17 Aug 2003 16:41:39 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 5244 invoked from network); 17 Aug 2003 16:41:39 -0000 From: David Masover Reply-To: masover@physemp.com To: gentoo-dev@gentoo.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-NJMZVxyOaCiy1Gk+reYj" Organization: physemp/medbanner Message-Id: <1061138498.12717.82.camel@morpheus.masover> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 Date: 17 Aug 2003 11:41:38 -0500 Subject: [gentoo-dev] manifests & gpg X-Archives-Salt: e3afddb2-d047-4c6a-b720-ab1f27395d68 X-Archives-Hash: 9bf6b5d1349462ae9fffd253b6b0aaf8 --=-NJMZVxyOaCiy1Gk+reYj Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I have no idea where to post this, so I'll start here. Tell me where this belongs. I see these "manifest" files showing up, which look like checksums for the checksums, or checksums for the metadata, or something. I think the idea is, they help with two goals: 1.) Make it faster to generate/manage the metadata. 2.) Make the system more secure. If an rsync mirror were to be compromised, or someone just felt like setting up an intentionally compromised one and somehow got it on the list of "official" mirrors, with Portage as it was when I last checked, all you'd have to do is add a new ebuild that was a "critical update" to something like ssh. It's true that it runs as user "portage", but the package eventually has to merge to the filesystem, making it all too easy to install a rootkit on hundreds of systems without really trying. There's also the fact that rsync itself isn't too secure, so I'm sure there's the possibility of a man-in-the-middle attack. It was mentioned on IRC that the manifests, which have checksums for all the valid ebuilds and files, would be gpg-signed, and that the private key would be held by project leaders, while the public key would be installed once -- off the install cd. That's the state if this issue last I checked. A few things that I have no idea of right now are: What about a manifest for all the manifests? It'd be easy enough for a malicious rsync mirror to leave off critical security updates and build a list of people who now don't have those updates, or who have been downgraded to old, broken versions. In order to prevent someone from just brute-forcing it by having an rsync mirror several months out of date in its entirety (not just in one package), the manifests should have dates in them. In order to prevent evil people from just creating their own manifests, you sign them, of course. Aside from the annoyance of making gpg (or maybe virtual/pgp, or something) a base package, this is a good thing.=20 The problem is, how many people have the key? I think there should be, say, a master key, held by, say, drobbins, and following the new management system, each project manager has their own key, and signs the keys of their subordinates. This makes the business of signing a particular manifest the responsibility of whoever is responsible for that package. It should also be possible to, within portage, restrict a key to only certain packages or categories. How it would work is, say I create my own package, app-toys/foobar (appologies if something like this already exists). I manage it and a few things it depends on, sys-libs/foo and sys-libs/bar. My direct supervisor (for simplicity's sake let's say it's drobbins) signs a list of packages and categories I'm allowed to edit, things like maybe a lang-baz category, for the special scripting language used by app-toys/foobar. This is all a bit much for me, so I create and sign my own list, delegating sys-libs/foo to my bro. He can update foo, but so far, only I can update foobar. If I delegate lang-baz/documentation to my mom, she can't change any of the actual software, and my bro (who sucks at writing) can't change any of the documentation. I can still micromanage them if I want, but I probably wouldn't. This cuts down the points of attack from anyone with an rsync mirror to a few rsa keys. Unless someone steals the Master Key from drobbins, it's always possible to do things like rotate everyone else's keys if they get stolen. The only other possibility is someone downloads a tainted iso with the wrong public key. True security freaks can handle this by ordering cds via mail, checking them against downloaded md5sums, and requesting fingerprints over mail. The rest of us can just update when it's ready -- this gives evil people only one shot at thwarting this scheme. Awaiting comments, SanityInAnarchy --=-NJMZVxyOaCiy1Gk+reYj Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQIVAwUAPz+wQQisZLIF6uqOAQI6ug//f2UZ4NDIEkSpS48PuwdaS/AF7yGHMwUa 8lvgKOQhssuL+UceuGGp3VuXo6jwdCQFmZP4EstiwDGP554e2a9rc6xWQHKURr7Y J4KCCaMqDQcQggINikkP1EPJnlMuLuPFXenEwfeTV37Yb+BSg7nCzGjHIloyMW2V fR0T4V89W+A8+8urxmtNJZtr3zyTmplO/y5Q3RkjEl8ZuQA04lTwnMmd5iggGAjs 5KHBoIMkQBBU7eYGniacuJJxRPBGvmUDDyaz27Zd4D51zDVeF1R6Y03urLj+817e lNIhFvLskc1wSt2VnqLe8zostIoc7ikeRZCmoJ2HQ40+W+MuBezaW8KM8zyMIGcK kmVNuAERFTw2oCr8tGrkLas01/Cq29R9MAKeR/KoBhOWtoCEYw0+HkaoMTJkHa/b sN4RDVqGGK9THUNSDn1tGBeT2MY2NwlBendVrpWu5SiTdGqw6qi06TYrqCtg3/FX QDzbKuQHm82wBGgxS5qo5iKtlqFK+LMSeZ+1xr1k5riBpQv4FQ21RuaC+31sYdpA 062g4b1x8G1EdOXD5xmRdzdmsHrIdHWl32OIEYTjrYG2E+rmbR93VKQSra/6+8lN VzAyWIyhrG/aiM12mMsCQv+7Tds3aTmVwOrZAinJV61QA0CEONUewi5oS3iFWXj0 /RC4ILJy2Xg= =gehb -----END PGP SIGNATURE----- --=-NJMZVxyOaCiy1Gk+reYj--