From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 327D81384B4 for ; Sun, 13 Dec 2015 19:20:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6F01921C0AE; Sun, 13 Dec 2015 19:20:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6C9EA21C0A3 for ; Sun, 13 Dec 2015 19:20:11 +0000 (UTC) Received: from localhost (unknown [91.246.99.151]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id A4F883408F0 for ; Sun, 13 Dec 2015 19:20:07 +0000 (UTC) Date: Sun, 13 Dec 2015 22:20:01 +0300 From: Andrew Savchenko To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] repo/gentoo.git, or how committing is challenging Message-Id: <20151213222001.0c1c466a3f3b8b0b53c69a9d@gentoo.org> In-Reply-To: <566DACB3.2010105@gentoo.org> References: <566DACB3.2010105@gentoo.org> X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.20; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Sun__13_Dec_2015_22_20_02_+0300_zeaa//lY4SYuLLeu" X-Archives-Salt: cc68d752-ca93-4faf-b472-342c114acf14 X-Archives-Hash: 9a621d9cf693e44bbcfbcfd40b7f193b --Signature=_Sun__13_Dec_2015_22_20_02_+0300_zeaa//lY4SYuLLeu Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Sun, 13 Dec 2015 18:36:51 +0100 Patrick Lauer wrote: > Oh hey. We're in the future. Let's try to commit something to > repo/gentoo.git! >=20 > So apparently we're signing things with gpg now, so let's read the > official documentation. > The [1] wiki seems to be the canonical location for such things. >=20 > Oh dear. The layout is VERY broken. See [2]. Which redirects to [3], > which is a duplicate of [4], which has been closed because apparently > the persons responsible don't understand how to internet. > Since this bug is only about a year old I don't expect any progress soon > - but fetching random crap from untrusted hosts is not a sane option. > Especially since there is already a webserver, which is also trusted, so > I'm confused why we're still having this conversation. >=20 > But hey, let's blindly fetch CSS from unknown, just to notice that this > 'theme' needs JavaScript to display properly. Because reasons. >=20 > Why would I want to blindly execute code when reading the text of a > wiki? Because, reasons. Because, future! I agree with you that wikification of the documentation brings security risks, especially due to sourcing of not-so-trusted resources. But anyway wiki is just docs, one can read them in any isolation environment of choise. Of course, javascript powered L3 cache attack may extract ones git key, this kind of attack may happen from any js-enabled site. So if someone prefers to go for such high security levels, a physically isolated box should be used for git purposes only =E2=80=94 and this is what Linus does IIRC. Rackcdn js is not an additional risk in real-life conditions IMO. Also wiki is barely readable in the lightweigth (and rather secure due to lack of extra functions) browsers like elinks or lynx. This irritates me, but is still tolerable in this imperfect world. > Since signing is mandatory since the git migration, ahem, this means > that no one in the last 5 months(!) actually followed the documentation > (because that does NOT work!). I'm almost impressed, but, wow, this is > enterprisey. It is absolutely possible to create correct gpg key, put it into LDAP according to GLEP and to sign commits and pushes properly. What is not currently possible is to verify all tree automatically. I agree that gkeys needs more work. But we are all volunteers here. You may help them if you are that interested into this functionality. What worries me more that we still have no way for rsync users to verify the portage tree (or Gentoo tree in the newspeak someone prefers here). And most users use rsync. > So, what can we do to make this whole story of 'commit (and push) to > repo/gentoo.git' make sense? And why do I appear to be the only one to > notice this chain of breakage?! We need to complete gkeys project, right? That's not all of the story, but a start. So send patches :) As for the full story, we still need to somehow verify rsync tree. For now only snapshots are verified. =20 Best regards, Andrew Savchenko --Signature=_Sun__13_Dec_2015_22_20_02_+0300_zeaa//lY4SYuLLeu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWbcTiAAoJEPZTWjO6HuSN11oP+wWK/9iKalfqxLK9Hr5kUhVb KO6L1xbh17VsVbPppnOe5jJsPmE9xI5v6eGD8jVYnExzxi5hgdY8vv2gh8cb8sIm mt9aTMrpk+2k+BmuYzoaUd3ooE7gpvEJpurD1DDQTINHLhwacK76vY6Cds6/BhR7 qEBfZ5WWjj+kANne5BgN863ePS03IFSN4ICZdbw5ZpMP3T/QHggjfD+sy7ubW7gh 35MPNRvMKfZf1eLZTcvoh0+gEuW41LAJSJUYJueNiByX+MeqzeBhMo+/XYsZvVJO MM/RfUh1tTy3o++o3ryq8A6EflGELTJMqilOEAipP9psnlyt3iQyjSWgyjuVRbb6 C6ALr+OvTz/ADBhG0IpPAIbJBgLwwJigsXwgO8XOWnzC4JlF0Tbyb/y8/APPFUNH cXZj5jcCYeP+0kLkQ8C86TtskhocNE04slv7I3Va3EK9HJvataj9dq7YrMcJ4UVD RyE33bZNnAfLInahEPiYvm5+Ve/IjQXMuGv8859WQ8BZbedOVaUaojbQwGqaZp1P GXmmm9HSQsa54YKegJOFSLv8lCcfqqnd02giwL9u0gkYB/jdELUBIH2kR975brW4 OduyemEoitqkildbVVodIEHiWX3TBhhxsL1ifcnDmVmA6sJ98Yy6Cv/8DYaRCLWN huBqz6ca19GxsIP19VIA =qiSz -----END PGP SIGNATURE----- --Signature=_Sun__13_Dec_2015_22_20_02_+0300_zeaa//lY4SYuLLeu--