From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Fh1fZ-0002Vc-2K for garchives@archives.gentoo.org; Fri, 19 May 2006 09:53:17 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4J9qEnj024395; Fri, 19 May 2006 09:52:14 GMT Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4J9kQNN025628 for ; Fri, 19 May 2006 09:46:26 GMT Received: by py-out-1112.google.com with SMTP id z59so870421pyg for ; Fri, 19 May 2006 02:46:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=jT1/crMGYK6bwhP2Qbn6z4hD3MJV9WdrBWjwKjqMrA6Gse6kxLYJBe8ZMjjUGLdCAuy6OKPKlb4dP7q7Fg0wa3NUgMf5UlTMsDXdgn4MB1C0mS4DqwXA2ENcnghyWwAjAkJhLvXCTNFnwWh6eXBLio0aDLhQhPl9B4RtqspHsI0= Received: by 10.35.99.14 with SMTP id b14mr1715491pym; Fri, 19 May 2006 02:46:26 -0700 (PDT) Received: by 10.35.66.10 with HTTP; Fri, 19 May 2006 02:46:26 -0700 (PDT) Message-ID: <623652d50605190246q625e9c76g820fc4138ee88cb4@mail.gmail.com> Date: Fri, 19 May 2006 10:46:26 +0100 From: "Chris Bainbridge" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Signing everything, for fun and for profit In-Reply-To: <1147988717.32416.51.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_44238_25129932.1148031986205" References: <1147988717.32416.51.camel@localhost> X-Archives-Salt: a35e7ff1-cc61-4bdf-a337-5a2ef3bfe5ff X-Archives-Hash: 3a1aa22fe9fe570f55894c594dd33262 ------=_Part_44238_25129932.1148031986205 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline The only attack most people really care about is a compromised rsync server= . There is no practical way to protect against the other attacks - and at the end of the day, if a developer gets compromised it doesn't matter whether it's a gpg key or ssh key, the effect is the same. The discussion about which files to sign is pointless - the extra computational cost of signing all files in the tree is insignificant, and how are we supposed to know how future tools will handle things like the licenses? Just do it properly now and sign every file. We already trust the master cvs server admins (and they could just replace the whole tree anyway), so what benefit does a distributed signing system like gpg actually give to the developers or users? I can't see any that are worth the costs of key management (and there are costs, otherwise a system would've been put into place years ago). So my simple proposal would be to use a single key, and a post-commit cvs hook to sign the whole tree. It takes me 1.5 seconds with gnupg to generate a signature covering the whole tree on my desktop here. I don't know how many commits per day there are (and maybe that would be reduced with an atomic commit system like svn), so I don't know if this is an acceptable cost. I think it probably is, but if not, then signing could be done per-directory. The benefits of this would be that changes are minimised - developers and users act the same, the impact on the tree is a 191 byte signature, and yet it will protect against the most likely and most practical form of attack. = I was much more pro-distributed trust system in 2003 (or whenever this was last discussed), but I think the right solution now is the practical, easy to implement one. ------=_Part_44238_25129932.1148031986205 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline The only attack most people really care about is a compromised rsync server= . There is no practical way to protect against the other attacks - and at t= he end of the day, if a developer gets compromised it doesn't matter whethe= r it's a gpg key or ssh key, the effect is the same. The discussion about w= hich files to sign is pointless - the extra computational cost of signing a= ll files in the tree is insignificant, and how are we supposed to know how = future tools will handle things like the licenses? Just do it properly now = and sign every file.

We already trust the master cvs server admins (and they could just = replace the whole tree anyway), so what benefit does a distributed signing = system like gpg actually give to the developers or users? I can't see any t= hat are worth the costs of key management (and there are costs, otherwise a= system would've been put into place years ago).

So my simple proposal would be to use a single key, and a post-comm= it cvs hook to sign the whole tree. It takes me 1.5 seconds with gnupg to g= enerate a signature covering the whole tree on my desktop here. I don't kno= w how many commits per day there are (and maybe that would be reduced with = an atomic commit system like svn), so I don't know if this is an acceptable= cost. I think it probably is, but if not, then signing could be done per-d= irectory.

The benefits of this would be that changes are minimised - develope= rs and users act the same, the impact on the tree is a 191 byte signature, = and yet it will protect against the most likely and most practical form of = attack. I was much more pro-distributed trust system in 2003 (or whenever t= his was last discussed), but I think the right solution now is the practica= l, easy to implement one.
=20 ------=_Part_44238_25129932.1148031986205-- -- gentoo-dev@gentoo.org mailing list