From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NFEkZ-0002fl-Uc for garchives@archives.gentoo.org; Mon, 30 Nov 2009 22:29:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7530EE0937; Mon, 30 Nov 2009 22:28:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 52910E0937 for ; Mon, 30 Nov 2009 22:28:37 +0000 (UTC) Received: from sapphire.localnet (atlnts.org [85.222.29.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id B8D6767B15 for ; Mon, 30 Nov 2009 22:28:36 +0000 (UTC) From: Dawid =?utf-8?q?W=C4=99gli=C5=84ski?= Organization: Gentoo Linux To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] GPG Infrastructure for Gentoo (Was Council Meeting) Date: Mon, 30 Nov 2009 23:28:33 +0100 User-Agent: KMail/1.12.1 (Linux/2.6.31-tuxonice; KDE/4.3.1; x86_64; ; ) References: <7c612fc60911251350k3560b7d7sf4e9c867a30b0d90@mail.gmail.com> <20091130113051.GA32489@chopin.edu.pl> <4B14369D.1040608@gentoo.org> In-Reply-To: <4B14369D.1040608@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Message-Id: <200911302328.33923.cla@gentoo.org> Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 9a48a440-0ec6-4d71-8714-6c72a669c6e2 X-Archives-Hash: 4b7f8ff39dd8bac53448f2a7b7c47abd On Monday 30 November 2009 22:18:21 Richard Freeman wrote: > Antoni Grzymala wrote: > > How about getting back to GLEP-57 [1]? Robin Hugh Johnson made an effort > > a year ago to summarize the then-current state of things regarding tree > > and package signing, however the matter seems to have lain idle and > > untouched for more than a year since. >=20 > One concern I have with the GLEP-57 is that it is a bit hazy on some of > the implementation details, and the current implementation has some > weaknesses. >=20 > I go ahead and sign my commits. However, when I do this I'm signing the > WHOLE manifest. So, if I stabilize foo-1.23-r5 on my arch, at best I've > tested that one particular version of that package works fine for me. > My signature applies to ALL versions of the package even though I > haven't tested those. >=20 I may be wrong - then please correct me. You don't sign every package versi= ons=20 but Manifest. Thus you somehow prove every file checksum is correct. If the= re=20 were any changes made on server side, those checksums would be incorrect=20 according to your signed Manifest. Currently any change may be fixed by who= ever=20 it is by the same command ebuild foo digest. > Now, if we had an unbroken chain of custody then that wouldn't be a > problem. However, repoman commit doesn't enforce this and the manifest > file doesn't really contain any indication of what packages are assured > to what level of confidence. That's what should be discussed - forcing developers to sign their commits = and=20 implementing this support in package managers. >=20 > If we want to sign manifests then the only way I see it actually > providing real security benefits is if either: >=20 > 1. The distro does this in the background in some way in a secure > manner (ensuring it happens 100% of the time). >=20 > 2. Every developer signs everything 100% of the time (make it a QA > check). >=20 > The instant you have a break in the signature chain you can potentially > have a modification. If somebody cares enough to check signatures, then > they're going to care that the signature means something. Otherwise it > only protects against accidental modifications, and the hashes already > provide pretty good protection against this. >=20 That's not really true. I see tips like "if you have digest incorrect, run= =20 ebuild foo.ebuild digest" very often. Really small group of people care abo= ut=20 broken digests. :( =2D-=20 Cheers Dawid W=C4=99gli=C5=84ski