From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q35UX-0005bX-DV for garchives@archives.gentoo.org; Fri, 25 Mar 2011 11:47:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 937651C053; Fri, 25 Mar 2011 11:47:36 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C30F41C00D for ; Fri, 25 Mar 2011 11:47:10 +0000 (UTC) Received: from [66.170.231.116] (unknown [66.170.231.116]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: c1pher) by smtp.gentoo.org (Postfix) with ESMTPSA id 094451B403B for ; Fri, 25 Mar 2011 11:47:09 +0000 (UTC) Message-ID: <4D8C802D.8010102@gentoo.org> Date: Fri, 25 Mar 2011 07:44:45 -0400 From: Dane Smith User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110321 Thunderbird/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rejecting unsigned commits References: <201103250953.19757.dilfridge@gentoo.org> <20110325091100.GA5313@lemongrass.antoszka.pl> <201103251044.37611.dilfridge@gentoo.org> In-Reply-To: <201103251044.37611.dilfridge@gentoo.org> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 1cb53bf85ffd089bfcc7008cb5aa6224 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/25/2011 05:44 AM, Andreas K. Huettel wrote: >>> * The key should be signed by some central instance for automated >>> validity check. >>> >>> Here things get hairy. How about having recruiter/infra team sign a dev's >>> key on completion of the recruitment process? Just a first thought... >> >> I think this is an important requirement however it's quite difficult >> to conduct reliably. A normal keysigning process usually requires >> knowing one personally (and perhaps verifying fingerprints over a >> phone with voice verification), seeing one's ID personally and the >> like. This is probably unfeasible in the Gentoo development >> environment (I'm not a dev, though, so I'm just guessing). > > Well, as long as the signed UID is the specific "Gentoo address UID", this > should be no problem, since... > > * the signature proves the key belongs to the e-mail address, nothing else > * the e-mail address is given to the owner of the key during recruitment > > Meaning nobody is certifying something that he/she does not know already by > definition. > > Please point out any thinkos... :) > This is 100% correct. We are not attempting to verify identity. Whether or not my name is Dane Smith is a moot point. All that matters is that I am the person that the Gentoo recruiters granted access to. I cannot stress how important some of this is. It's bad if a binary distro doesn't sign their code, but in some ways it's even worse for us. An ebuild can do most anything. If someone were to want to insert some nastiness into say, openssl, all they have to do is hijack an rsync mirror, insert their patch, change the ebuild a smidge, and run and hide. And no one would be any the wiser. The only difference is that unlike a binary distro where a user can't verify anything (easily), at least one of ours can always look at the ebuilds / patches. (Not to mention they could also hack their nastiness into the openssl tarball, change the manifest, and then run and hide. Same effect, no notice at the ebuild level.) For those who got bored at line two it all comes down to: Sign. Your. STUFF! Your friendly neighborhood paranoid, - -- Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNjIAtAAoJEEsurZwMLhUxVFAP/3aXbJb+00wM95Dht/aBT31S vjsjODbx7/9IL5nxdVumDH6+M21pfa7e0xx1aFsUNvjJNl1jSfH44nsvvjRSkGKq b8bliwpG++wnQ18Gll1J48XTawLCPKh5HKCQWoRmQPwk7oEkVxXmph/V5/S8PdvL Y9HM7niA6TeIKtdDjtd/AqgdIizDlrU8a4ovdxrt4MdhPoBSs4CT5BUQszgOEWah LW/nt/Ir3bL2aML60QBmoxapbCBYSrpn0cqBoBCvOhgTzWWOpAamBV21HxBhiAnE EzAXYAm8IJH4HWwQp4ar0e/TCo7/mty3mx/lspAFuX4fOXwVgfCS53wtpT7nKvoA Homy0Q1ZnVMU/bXP5tdvszzPcfRoqfvjO4qU8MlqvlHLKf/RF1Om3kJRYONKTYxo EDtrT093kRNwI2s3RrrWyJ14Kj6QsKAylsO9KbD5+h+xH/LG1+uWpxxtm0S88A// qSkU/kP1TRJW7+PxYiodBu5rlqcW+v6JK+jXwTecz96QVrYvsBq6QTBvHODpsxlI CFBePa23LEbPqq+vnQSrSLXrbeqV9nw4vgvMiU9PHbiWuPDks37xh4mtQY0u/5C9 R4U7VG1sQ0yZQSH0I9HP8v6ZNz99xdyH+VDDJzIvBGdpif1CPyGA4DNmhfvmzpaC 0zqc8QcUe5rJRV5N2zmb =T/Hi -----END PGP SIGNATURE-----