Re: [gentoo-dev] repo/gentoo.git, or how committing is challenging

[Andrew Savchenko <bircoph@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3057 bytes --]

Hi,

On Sun, 13 Dec 2015 18:36:51 +0100 Patrick Lauer wrote:
> Oh hey. We're in the future. Let's try to commit something to
> repo/gentoo.git!
> 
> So apparently we're signing things with gpg now, so let's read the
> official documentation.
> The [1] wiki seems to be the canonical location for such things.
> 
> Oh dear. The layout is VERY broken. See [2]. Which redirects to [3],
> which is a duplicate of [4], which has been closed because apparently
> the persons responsible don't understand how to internet.
> Since this bug is only about a year old I don't expect any progress soon
> - but fetching random crap from untrusted hosts is not a sane option.
> Especially since there is already a webserver, which is also trusted, so
> I'm confused why we're still having this conversation.
> 
> But hey, let's blindly fetch CSS from unknown, just to notice that this
> 'theme' needs JavaScript to display properly. Because reasons.
> 
> Why would I want to blindly execute code when reading the text of a
> wiki? Because, reasons. Because, future!

I agree with you that wikification of the documentation brings
security risks, especially due to sourcing of not-so-trusted
resources. But anyway wiki is just docs, one can read them in any
isolation environment of choise. Of course, javascript powered L3
cache attack may extract ones git key, this kind of attack may
happen from any js-enabled site. So if someone prefers to go for
such high security levels, a physically isolated box should be used
for git purposes only — and this is what Linus does IIRC. Rackcdn
js is not an additional risk in real-life conditions IMO.

Also wiki is barely readable in the lightweigth (and rather secure
due to lack of extra functions) browsers like elinks or lynx. This
irritates me, but is still tolerable in this imperfect world.

> Since signing is mandatory since the git migration, ahem, this means
> that no one in the last 5 months(!) actually followed the documentation
> (because that does NOT work!). I'm almost impressed, but, wow, this is
> enterprisey.

It is absolutely possible to create correct gpg key, put it into
LDAP according to GLEP and to sign commits and pushes properly.
What is not currently possible is to verify all tree automatically.

I agree that gkeys needs more work. But we are all volunteers here.
You may help them if you are that interested into this
functionality.

What worries me more that we still have no way for rsync users to
verify the portage tree (or Gentoo tree in the newspeak someone
prefers here). And most users use rsync.

> So, what can we do to make this whole story of 'commit (and push) to
> repo/gentoo.git' make sense? And why do I appear to be the only one to
> notice this chain of breakage?!

We need to complete gkeys project, right? That's not all of the
story, but a start. So send patches :) As for the full story, we
still need to somehow verify rsync tree. For now only snapshots are
verified.
 
Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]