From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3JPS-0005cz-9Q for garchives@archives.gentoo.org; Sat, 26 Mar 2011 02:39:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 603C01C0C3; Sat, 26 Mar 2011 02:39:17 +0000 (UTC) Received: from mail-iy0-f181.google.com (mail-iy0-f181.google.com [209.85.210.181]) by pigeon.gentoo.org (Postfix) with ESMTP id B28CC1C009 for ; Sat, 26 Mar 2011 02:38:48 +0000 (UTC) Received: by iyb26 with SMTP id 26so2154343iyb.40 for ; Fri, 25 Mar 2011 19:38:48 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.42.221.196 with SMTP id id4mr2231570icb.141.1301107127558; Fri, 25 Mar 2011 19:38:47 -0700 (PDT) Sender: antarus@scriptkitty.com Received: by 10.42.228.73 with HTTP; Fri, 25 Mar 2011 19:38:47 -0700 (PDT) In-Reply-To: References: <20110325074824.TAf2c206.tv@veller.net> <201103250953.19757.dilfridge@gentoo.org> <4D8CE590.8060905@gentoo.org> Date: Sat, 26 Mar 2011 02:38:47 +0000 X-Google-Sender-Auth: tkC6ZAJGqT9OtVoDL9_HvRI2Pgk Message-ID: Subject: Re: [gentoo-dev] Re: rejecting unsigned commits From: Alec Warner To: gentoo-dev@lists.gentoo.org Cc: Mike Frysinger Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 44c77aacebe52d44f71a51b7058268c2 On Fri, Mar 25, 2011 at 7:28 PM, Mike Frysinger wrote: > On Fri, Mar 25, 2011 at 2:57 PM, Dane Smith wrote: >> On 03/25/2011 02:46 PM, Mike Frysinger wrote: >>> On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote: >>>> Of course now we can add additional requirements: >>>> >>>> * The key must have an userid that refers to an official Gentoo e-mail >>>> address. E.g. dilfridge@gentoo.org >>> >>> no. =C2=A0there's no reason for this requirement, and it prevents proxy >>> maintenance long term. =C2=A0e-mail addresses do not verify identity, >>> verifying identify verifies identity. =C2=A0this is the point of the we= b of >>> trust. >> >> We are somewhat limited in the amount that we can verify "identity." >> Sure you can get a decent web of trust from signing the keys of people >> you've met at conferences, however, there will be people outside of that >> web. > > creating one "tree key" which signs all developer keys listed in LDAP > is trivial to do > >> What we need to verify is rather that the person who made the >> commit is someone who is authorized to make the commit and that it was >> in no way tampered with. > > you're validating only that the machine with access to the private > keys pushed up the commit. =C2=A0hopefully the only person with said > machine is the one we recruited. > -mike > > Coming back around to the earlier discussion of Alice who has her key signed by robbat2 (because he loves keysigning parties) and then Alice breaks into cvs.gentoo.org and commits evil code into the tree. If we cannot stop this attack because we are relying on a chain of trust (and Alice is in the chain) can we at least detect the attack? As it appears to me; I am much more likely to somehow manipulate the chain in trust in an incorrect way (such as at a keysigning hibjib) as opposed to adding some random strangers key to a master list on dev.gentoo.org or in LDAP. The former action is essentially an innocent act with non-obvious (to me) repercussions and the latter is an act with really only one intent. I don't care about GPG at all. I hate it. I don't want to know how it works and I don't want developers who are in the same boat as me to fuck it up because they don't know what they are doing. I don't have commit-bit to gentoo-x86 so I don't have a big stake in this ;)