From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NFDed-0002WC-KP for garchives@archives.gentoo.org; Mon, 30 Nov 2009 21:19:31 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6AE13E07BE; Mon, 30 Nov 2009 21:18:41 +0000 (UTC) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by pigeon.gentoo.org (Postfix) with ESMTP id 45532E07BE for ; Mon, 30 Nov 2009 21:18:41 +0000 (UTC) Received: from gw.thefreemanclan.net ([96.245.54.62]) by vms173017.mailsrvcs.net (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KTX00GFRXULSNPI@vms173017.mailsrvcs.net> for gentoo-dev@lists.gentoo.org; Mon, 30 Nov 2009 15:18:26 -0600 (CST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by gw.thefreemanclan.net (Postfix) with ESMTP id 3A9AD1759CFE for ; Mon, 30 Nov 2009 16:18:21 -0500 (EST) Message-id: <4B14369D.1040608@gentoo.org> Date: Mon, 30 Nov 2009 16:18:21 -0500 From: Richard Freeman User-Agent: Thunderbird 2.0.0.23 (X11/20091031) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] GPG Infrastructure for Gentoo (Was Council Meeting) References: <7c612fc60911251350k3560b7d7sf4e9c867a30b0d90@mail.gmail.com> <20091130113051.GA32489@chopin.edu.pl> In-reply-to: <20091130113051.GA32489@chopin.edu.pl> Content-type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: 7bit X-Archives-Salt: e26e2602-876a-4424-b71d-31700717a5d6 X-Archives-Hash: bcf34455b062ef0cec9cb5d225413f19 Antoni Grzymala wrote: > How about getting back to GLEP-57 [1]? Robin Hugh Johnson made an effort > a year ago to summarize the then-current state of things regarding tree > and package signing, however the matter seems to have lain idle and > untouched for more than a year since. > One concern I have with the GLEP-57 is that it is a bit hazy on some of the implementation details, and the current implementation has some weaknesses. I go ahead and sign my commits. However, when I do this I'm signing the WHOLE manifest. So, if I stabilize foo-1.23-r5 on my arch, at best I've tested that one particular version of that package works fine for me. My signature applies to ALL versions of the package even though I haven't tested those. Now, if we had an unbroken chain of custody then that wouldn't be a problem. However, repoman commit doesn't enforce this and the manifest file doesn't really contain any indication of what packages are assured to what level of confidence. If we want to sign manifests then the only way I see it actually providing real security benefits is if either: 1. The distro does this in the background in some way in a secure manner (ensuring it happens 100% of the time). 2. Every developer signs everything 100% of the time (make it a QA check). The instant you have a break in the signature chain you can potentially have a modification. If somebody cares enough to check signatures, then they're going to care that the signature means something. Otherwise it only protects against accidental modifications, and the hashes already provide pretty good protection against this.