From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-44997-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Q3JPS-0005cz-9Q
	for garchives@archives.gentoo.org; Sat, 26 Mar 2011 02:39:26 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 603C01C0C3;
	Sat, 26 Mar 2011 02:39:17 +0000 (UTC)
Received: from mail-iy0-f181.google.com (mail-iy0-f181.google.com [209.85.210.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id B28CC1C009
	for <gentoo-dev@lists.gentoo.org>; Sat, 26 Mar 2011 02:38:48 +0000 (UTC)
Received: by iyb26 with SMTP id 26so2154343iyb.40
        for <gentoo-dev@lists.gentoo.org>; Fri, 25 Mar 2011 19:38:48 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.42.221.196 with SMTP id id4mr2231570icb.141.1301107127558;
 Fri, 25 Mar 2011 19:38:47 -0700 (PDT)
Sender: antarus@scriptkitty.com
Received: by 10.42.228.73 with HTTP; Fri, 25 Mar 2011 19:38:47 -0700 (PDT)
In-Reply-To: <AANLkTikcOiK4+DD+9DG8s=HzjXvvO7td5=RBU8fP9uDX@mail.gmail.com>
References: <AANLkTi=4o69ytUxAVpy-O31AWQv-5p4bEWD2466NWYGx@mail.gmail.com>
	<AANLkTikHtND=ttd8afj2yBW3pbkqVcfhwnMXiHsFPvBV@mail.gmail.com>
	<20110325074824.TAf2c206.tv@veller.net>
	<201103250953.19757.dilfridge@gentoo.org>
	<AANLkTimQDA7FPxuRtBrp5wYiC3MvcJDnbf-yS-B3KOMO@mail.gmail.com>
	<4D8CE590.8060905@gentoo.org>
	<AANLkTikcOiK4+DD+9DG8s=HzjXvvO7td5=RBU8fP9uDX@mail.gmail.com>
Date: Sat, 26 Mar 2011 02:38:47 +0000
X-Google-Sender-Auth: tkC6ZAJGqT9OtVoDL9_HvRI2Pgk
Message-ID: <AANLkTikrHbFGvgDwh-r4YqGiBEX7sKOSh0VRwb_zx3jJ@mail.gmail.com>
Subject: Re: [gentoo-dev] Re: rejecting unsigned commits
From: Alec Warner <antarus@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Mike Frysinger <vapier@gentoo.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: 44c77aacebe52d44f71a51b7058268c2

On Fri, Mar 25, 2011 at 7:28 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> On Fri, Mar 25, 2011 at 2:57 PM, Dane Smith wrote:
>> On 03/25/2011 02:46 PM, Mike Frysinger wrote:
>>> On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote:
>>>> Of course now we can add additional requirements:
>>>>
>>>> * The key must have an userid that refers to an official Gentoo e-mail
>>>> address. E.g. dilfridge@gentoo.org
>>>
>>> no. =C2=A0there's no reason for this requirement, and it prevents proxy
>>> maintenance long term. =C2=A0e-mail addresses do not verify identity,
>>> verifying identify verifies identity. =C2=A0this is the point of the we=
b of
>>> trust.
>>
>> We are somewhat limited in the amount that we can verify "identity."
>> Sure you can get a decent web of trust from signing the keys of people
>> you've met at conferences, however, there will be people outside of that
>> web.
>
> creating one "tree key" which signs all developer keys listed in LDAP
> is trivial to do
>
>> What we need to verify is rather that the person who made the
>> commit is someone who is authorized to make the commit and that it was
>> in no way tampered with.
>
> you're validating only that the machine with access to the private
> keys pushed up the commit. =C2=A0hopefully the only person with said
> machine is the one we recruited.
> -mike
>
>

Coming back around to the earlier discussion of Alice who has her key
signed by robbat2 (because he loves keysigning parties) and then Alice
breaks into cvs.gentoo.org and commits evil code into the tree.  If we
cannot stop this attack because we are relying on a chain of trust
(and Alice is in the chain) can we at least detect the attack?

As it appears to me; I am much more likely to somehow manipulate the
chain in trust in an incorrect way (such as at a keysigning hibjib) as
opposed to adding some random strangers key to a master list on
dev.gentoo.org or in LDAP.  The former action is essentially an
innocent act with non-obvious (to me) repercussions and the latter is
an act with really only one intent.

I don't care about GPG at all.  I hate it.  I don't want to know how
it works and I don't want developers who are in the same boat as me to
fuck it up because they don't know what they are doing.  I don't have
commit-bit to gentoo-x86 so I don't have a big stake in this ;)