Re: [gentoo-dev] Re: rejecting unsigned commits

["Andreas K. Huettel" <dilfridge@gentoo.org>]

[-- Attachment #1: Type: Text/Plain, Size: 2394 bytes --]


> first off, fix your e-mail client.  this long line crap is ridiculous.

:) ever heard of flowed text? absolutely no need to get aggressive...

> second, anyone can add/remove e-mail addresses.  we arent verifying
> e-mail addresses, we're verifying keys.  

Unfortunately you are misunderstanding the GnuPG trust model here. As a third 
party you are not signing someone's key, but someone's userid associated with 
that key.

> the *only* thing that matters
> is that the key we have on file (0xabcd) is the one that was used to
> sign.

That's a policy decision. Basically there are several ways to go by 
implementing our own trust model.

1) Rely on an existing list of keys somewhere distributed in portage, and 
automatically trust all keys in that list.
VERY BAD, because if someone manipulates the portage tree he/she can 
manipulate that list as well. I'm pretty confident however you actually meant 
option 2) or 3):

2) Rely on an existing keyring somewhere distributed in portage; the file (not 
the keys themselves) is signed with a master key.
Is a very clumsy workaround.
Pros: you can exactly decide what keys are used and trusted, without thinking 
about GnuPG's inner workings.
Cons: People tend to modify their keys. Add user ids. Add new subkeys. Expire 
or revoke subkeys. Revoke userids. (My photo in the key is pretty old by now. 
:o) Whenever anything of this happens, the key file changes, needs to be re-
signed by infra and re-uploaded.

3) Rely on an existing key list somewhere distributed in portage; the list 
file with the key id's (not the keys themselves) is signed with a master key.
Is a mediocre and potentially insecure workaround.
Pros: you can exactly decide what keys are used and trusted, without thinking 
about GnuPG's inner workings. A user can edit his key and the key remains 
trusted.
Cons: Mainly that the key id is a pretty short hash afaik.(Any better-informed 
people around?)

4) Rely on an existing list of keys somewhere distributed in portage and 
possibly somewhere else (keyservers); a key userid is signed with a master 
key. Work with GnuPG's well-tested and well-thought-out trust relationships.
Back to start, time to re-read the entire thread... :)

Am I missing something?

-- 

Andreas K. Huettel
Gentoo Linux developer 
dilfridge@gentoo.org
http://www.akhuettel.de/


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]