From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FhSj4-0003Pi-1z for garchives@archives.gentoo.org; Sat, 20 May 2006 14:46:42 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4KEhsWN022861; Sat, 20 May 2006 14:43:54 GMT Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4KEbspO025299 for ; Sat, 20 May 2006 14:37:55 GMT Received: by py-out-1112.google.com with SMTP id z59so1184276pyg for ; Sat, 20 May 2006 07:37:54 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pMX53KFPHeClL3dmb0zr+eM2m+X9jamgj7LQtOi50xh4NDoKY79ZnhpthQ8hEteXr6ASHcdTIRUPYTKBwUtZzCzgjLAFT3v03tM7y1kbgXlo6I27CLXbH64N6QDh3pTmJmR9hOcvk1KTUcCzCNe5AoKRrpY25oRTtJ6mI6uifOw= Received: by 10.35.43.10 with SMTP id v10mr2063439pyj; Sat, 20 May 2006 07:37:54 -0700 (PDT) Received: by 10.35.66.10 with HTTP; Sat, 20 May 2006 07:37:54 -0700 (PDT) Message-ID: <623652d50605200737l315d4159ie0e3982c0e970e44@mail.gmail.com> Date: Sat, 20 May 2006 15:37:54 +0100 From: "Chris Bainbridge" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Signing everything, for fun and for profit In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Disposition: inline References: <1147988717.32416.51.camel@localhost> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id k4KEbspO025299 X-Archives-Salt: 478f01b7-9b1e-4a46-8e1a-905aeacfb321 X-Archives-Hash: 3bd141054ee9ff2e396e5bc6eea29cbb On 20/05/06, Peter wrote: > PMFJI, but as a user, not a security expert, I had a few thoughts that I'd > like to throw in. Thanks to Patrick, he helped me to drill down some of > the ideas and I present them for consideration. It's just a framework, so > I will be brief Thanks for your input. From a security point of view your scheme is fine, but as pointed out by others you won't be able to selectively rsync parts of the tree. That will require a signature for each manifest, and a manifest for every directory. The problem I see is that the manifest is going to have to include a hash for each subdirectory - otherwise you open the possibility of someone replacing a directory with one from the past that contains some known insecurity, or corrupting the tree by swapping random directories, and yet the signatures remain valid. Of course, that hash changes if you allow people to rsync_exclude directories, and hence the signature changes. So you can either accept that if you selectively rsync then you won't be able to verify the signed tree, or accept that there is a known security problem with having no signed link between parent and child directories, or come up with a different scheme. Obviously the manifests also have to be checked to make sure they're valid - this is currently done for package directories at emerge time, it would need to be extended to all other directories. I'd prefer the checks done at sync time since that's a one time cost and you don't have to figure out exactly what files will be used by each emerge operation. -- gentoo-dev@gentoo.org mailing list