Re: [gentoo-dev] Re: Signing everything, for fun and for profit

["Chris Bainbridge" <chris.bainbridge@gmail.com>]

On 20/05/06, Peter <pete4abw@comcast.net> wrote:
> PMFJI, but as a user, not a security expert, I had a few thoughts that I'd
> like to throw in. Thanks to Patrick, he helped me to drill down some of
> the ideas and I present them for consideration. It's just a framework, so
> I will be brief

Thanks for your input. From a security point of view your scheme is
fine, but as pointed out by others you won't be able to selectively
rsync parts of the tree. That will require a signature for each
manifest, and a manifest for every directory. The problem I see is
that the manifest is going to have to include a hash for each
subdirectory - otherwise you open the possibility of someone replacing
a directory with one from the past that contains some known
insecurity, or corrupting the tree by swapping random directories, and
yet the signatures remain valid. Of course, that hash changes if you
allow people to rsync_exclude directories, and hence the signature
changes. So you can either accept that if you selectively rsync then
you won't be able to verify the signed tree, or accept that there is a
known security problem with having no signed link between parent and
child directories, or come up with a different scheme.

Obviously the manifests also have to be checked to make sure they're
valid - this is currently done for package directories at emerge time,
it would need to be extended to all other directories. I'd prefer the
checks done at sync time since that's a one time cost and you don't
have to figure out exactly what files will be used by each emerge
operation.

-- 
gentoo-dev@gentoo.org mailing list