From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QGgJO-0005Ut-9d for garchives@archives.gentoo.org; Sun, 01 May 2011 23:44:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8CD5F1C061; Sun, 1 May 2011 23:44:17 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 7A2161C032 for ; Sun, 1 May 2011 23:43:49 +0000 (UTC) Received: by wyi11 with SMTP id 11so5350256wyi.40 for ; Sun, 01 May 2011 16:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=KXh8WA7OF/ZM3fCyMIdc+76etR3glMiZUMd/0nt3IS8=; b=LmTSmd2MiHQTI9V8q/swK1J4BX08q0inK3cAqddfPxXKJpXbnPGCgcBCFB5C4eybz5 q6DcjTuekiM1lfyqNUjOiJTflFqZiasLW8yAPXzap5Ci/0DNi6qsMwH0wJ63sn7Bmfin z+0HEdpBg01LHxxAO7AIWrLhhdJFN/OHzed4U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=xhgz5ZpwQ5VgWPdpKHY6rqkyyeSZfK/oVlC3xlQjmAbOP7bWAZe9JinFC/yeMIMp46 IY1aq1HHpfF6YesWAtq6ss0PAsFXQi4hoRoIvfYq1ROaTzFArzUSP0Cxl89dkzaNmDPZ r+Gsdngixfq2lx+ffHDzL0oaqatzdRPZDFVNg= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.197.201 with SMTP id el9mr3318187wbb.22.1304293428492; Sun, 01 May 2011 16:43:48 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.227.60.211 with HTTP; Sun, 1 May 2011 16:43:48 -0700 (PDT) In-Reply-To: <20110501233108.GB3632@hrair> References: <4DBBCC6D.7080504@gentoo.org> <20110501100017.GE24801@gentoo.org> <20110501210831.GA2816@Eternity.halls.manchester.ac.uk> <20110501223325.GA3632@hrair> <20110501224906.GA4116@Eternity.halls.manchester.ac.uk> <20110501233108.GB3632@hrair> Date: Sun, 1 May 2011 19:43:48 -0400 X-Google-Sender-Auth: XRmC20d7tiWsS74vtDxa9S-6i2w Message-ID: Subject: Re: [gentoo-dev] Re: Devmanual text on ChangeLogs From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: X-Archives-Hash: a084fb681124c204cf690b783a48f44f On Sun, May 1, 2011 at 7:31 PM, Brian Harring wrote: > Get at that key, and you've got the tree, versus the current form, > crack all signing keys and you've got the tree. Well, more like get any one of the keys and you get the tree, since portage only validates that a trusted key signed a package, and not that the key belonged to the package maintainer. In any case, the whole way that manifest signing works does not really preserve a signature from end-to-end. If I sign three files and somebody else signs two files, they end up overwriting my signature. So, if a mirror checks all the sigs, makes a change, and re-signs with its own key that isn't much less secure than what we have now. I wouldn't actually distribute the work all the way to the mirrors though - I'd have a central server generate the changelogs, sign them, and then propagate that to the mirror network. You just need to protect that one server really well then. If you really want to have dev->user trust with no broken links then the signatures would need to be associated with each file - not just the whole manifest. Plus, the local portage would need to check the metadata cache for consistency. In any case, I see manifest signing as a relatively minor issue here. It seems like the more fundamental debate is how much metadata we really should be distributing all the way to end-user systems, vs keeping it in a repository like a cvs log. Sure, offline access is useful, but the question is whether it is useful enough. My personal feeling is that we should keep the changelogs as-is, and include removals, until we're on git. Then we should re-evaluate. Rich