From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Fh7fg-0002jO-69 for garchives@archives.gentoo.org; Fri, 19 May 2006 16:17:48 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4JGDpqv020970; Fri, 19 May 2006 16:13:52 GMT Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4JG6FGO019844 for ; Fri, 19 May 2006 16:06:15 GMT Received: by py-out-1112.google.com with SMTP id z59so971451pyg for ; Fri, 19 May 2006 09:06:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kvIe/WlWc5bgTN2VYmoRVUIHYMV9nwn0kgw2hAtEaYsz5F7ZaXohh+n4qyZvgWb/mhmSKgYyXzB5uTiVV/GA+KrvmjfwakUYQxpMSi/0z3C/Ir1ovg8XJyFvCtZq3ppmt6czkfj5kjBX+IE3T4GTCl/EUduOcEap2QeVbIiGdj0= Received: by 10.35.37.18 with SMTP id p18mr2239623pyj; Fri, 19 May 2006 09:06:15 -0700 (PDT) Received: by 10.35.66.10 with HTTP; Fri, 19 May 2006 09:06:15 -0700 (PDT) Message-ID: <623652d50605190906j716691dga8b771db50cc1b9f@mail.gmail.com> Date: Fri, 19 May 2006 17:06:15 +0100 From: "Chris Bainbridge" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Signing everything, for fun and for profit In-Reply-To: <1148052386.23382.40.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Disposition: inline References: <1147988717.32416.51.camel@localhost> <623652d50605190246q625e9c76g820fc4138ee88cb4@mail.gmail.com> <1148037602.23382.23.camel@localhost> <623652d50605190713n38d3aa7bi2f6776f5d8a86a2f@mail.gmail.com> <1148052386.23382.40.camel@localhost> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id k4JG6FGO019844 X-Archives-Salt: eb841281-60f7-49f5-b6ea-aaf97f7df227 X-Archives-Hash: 3202e8b65de3e6097506acfd2fc75ae5 On 19/05/06, Patrick Lauer wrote: > On Fri, 2006-05-19 at 15:13 +0100, Chris Bainbridge wrote: > > There are now several hundred gentoo developers. It is more likely > > that one of them has a security lapse than cvs.gentoo.org. > One is a "local" bug, the other one "global". > I'd prefer a system that is resilient against two devs going crazy - > right now the "right" persons could stage a manipulation that would be > hard to detect and where your (single central) signature fails quite > nicely. Realistically, you have to trust the gentoo devs. The only system that won't fail against the rogue developer threat is to have multiple sign-off on commits. Most developers don't want that. Even if it were required, it would only raise the bar slightly - all a rogue developer would have to do is to establish a new id, fix some bugs, and "recruit" themselves. > It's very coarse - Yes / No > Doesn't tell you what failed how ... so I DoS it by inserting one bit on > any rsync mirror and it will "fail". You don't know what fails where ... > You can't upgrade and you don't know what fails where ... > Right, but ... what caused the error? It doesn't matter which bit in which file was changed - if an attacker has access to corrupt the tree, then the whole tree is suspect and can't be trusted. From a users point of view - they don't care what caused the error, they just sync again with a different server.. From a developers point of view - you can just diff the corrupt server against your local tree and look for exploit code. > > It could be done in stages. Start with the (easier) central key, then > > later add distributed keys. I think a hybrid system would be the ideal > > system, but realistically, bug #5902 has been around since March 2003 > > and no real progress has been made. > That bug appears quite unrelated to me ... how does FEATURES="userpriv" > relate to signing? #5902 is "emerge security - running as root and digital signatures". Digital signatures have something to do with signing ;-) Actually, the bug has been open since August 2002... > > The main sticking point seems to > > be disagreements over key management and policies. I would hope that > > most people could agree that a single key with a post-commit signing > > is better than what we have now, > debatable It's debatable that a centralised signing the tree is better than not having any security at all? > > and could be easily implemented, > yes > > whilst leaving open the option of a hybrid system implementation at a > > later date. > yes > > but that's not a cure. You'd have to sign _each file_ to get a > reasonable tampering detection, or at least per-directory. You add a > single point of failure and give attackers a high-profile target. It depends... what is the purpose of signing individual files? If it's to find the point of corruption, then you can just diff the corrupt tree against a good one and look for any exploit like code. Look at it this way - when emerge detects a corrupt tar.gz in distfiles, it doesn't tell you exactly what file in the package is corrupt. It just downloads it from someplace else. The same principle can be applied to the portage tree. I'm open to the possibility of signing every file/directory individually if there's a good reason, but I don't see one at the moment. -- gentoo-dev@gentoo.org mailing list