From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FgsHf-0002uN-54 for garchives@archives.gentoo.org; Thu, 18 May 2006 23:51:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4INo0os011643; Thu, 18 May 2006 23:50:00 GMT Received: from mail-relay-1.tiscali.it (mail-relay-1.tiscali.it [213.205.33.41]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4INipnY020140 for ; Thu, 18 May 2006 23:44:52 GMT Received: from c1358217.kevquinn.com (84.222.85.22) by mail-relay-1.tiscali.it (7.3.104) id 445B4ED9001B8676 for gentoo-dev@lists.gentoo.org; Fri, 19 May 2006 01:44:51 +0200 Date: Fri, 19 May 2006 01:53:29 +0200 From: "Kevin F. Quinn" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Signing everything, for fun and for profit Message-ID: <20060519015329.0fdeef6a@c1358217.kevquinn.com> In-Reply-To: <1147988717.32416.51.camel@localhost> References: <1147988717.32416.51.camel@localhost> X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.12; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_FkKEzTImUJqrGx0SWu1.3VX; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 017d3df9-50d9-4689-a676-7b8296ffcf9c X-Archives-Hash: e5da4ae9b53eb4c214ec5207283b1847 --Sig_FkKEzTImUJqrGx0SWu1.3VX Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 18 May 2006 23:45:17 +0200 Patrick Lauer wrote: > Note: a possible defense against rogue devs would be multi-signing, I don't think it's worth trying to defend against rogue devs. We have to have some level of trust amongst devs; anyone abusing that trust will be ejected sooner or later and any breakage will be fixed. On key management - I wouldn't get too excited about gold standard key management. Using the "web of trust" seems good enough to me. The default chain depth of 5 seems enough to reach around the globe. Publish the top-level public key(s) and fingerprint(s) on the web server, have the secret keys held by infra, revocation certificates by infra and council. Anyone not wishing to trust the web server can locate a nearby dev whose identity they can trust with a chain back to the top and obtain the public key from that dev. Perhaps we could take a more proactive approach to getting devs keys onto the chain. I wanted to mention the currently un-signed portions of the tree. I'm sure we've discussed this before although I couldn't find it. Unsigned bits of the rsync tree are: eclass licenses metadata profiles header.txt scripts skel.* obviously header.txt and skel.* aren't important. scripts isn't too important either, although a manifest-style file in there wouldn't be difficult. licenses and metadata don't have any security impact so there's little point there, also. do profiles present a security risk? Perhaps by masking/unmasking fixed/vulnerable versions of packages. Here, a Manifest in each directory seems most sensible (it might be useful to move the global data around a bit; fex move *desc into the desc subdirectory). eclass - not so easy. A per-eclass detached signature would clutter the directoryup too much, doubling the file count. A single Manifest for the whole directory could be awkward if enough eclass editing goes on simultaneously, but it might be workable. I think that's where the last discussion ended up - a single manifest for the whole eclass directory. If GLEP33 ever gets implemented, this issue is obvious as each subdirectory would have its own manifest. Obviously the best way to add this sort of thing is to add support to repoman, which has been mentioned before for profiles at least, for QA. --=20 Kevin F. Quinn --Sig_FkKEzTImUJqrGx0SWu1.3VX Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEbQj+9G2S8dekcG0RAnJmAJ9uaZQBFtIPtoUrbG8ap0ct2twVXACfTBv4 nbmlZgSz+G5rO00lXwlvFSc= =Lug0 -----END PGP SIGNATURE----- --Sig_FkKEzTImUJqrGx0SWu1.3VX-- -- gentoo-dev@gentoo.org mailing list