From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-45611-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QGgJO-0005Ut-9d
	for garchives@archives.gentoo.org; Sun, 01 May 2011 23:44:26 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8CD5F1C061;
	Sun,  1 May 2011 23:44:17 +0000 (UTC)
Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id 7A2161C032
	for <gentoo-dev@lists.gentoo.org>; Sun,  1 May 2011 23:43:49 +0000 (UTC)
Received: by wyi11 with SMTP id 11so5350256wyi.40
        for <gentoo-dev@lists.gentoo.org>; Sun, 01 May 2011 16:43:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        bh=KXh8WA7OF/ZM3fCyMIdc+76etR3glMiZUMd/0nt3IS8=;
        b=LmTSmd2MiHQTI9V8q/swK1J4BX08q0inK3cAqddfPxXKJpXbnPGCgcBCFB5C4eybz5
         q6DcjTuekiM1lfyqNUjOiJTflFqZiasLW8yAPXzap5Ci/0DNi6qsMwH0wJ63sn7Bmfin
         z+0HEdpBg01LHxxAO7AIWrLhhdJFN/OHzed4U=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        b=xhgz5ZpwQ5VgWPdpKHY6rqkyyeSZfK/oVlC3xlQjmAbOP7bWAZe9JinFC/yeMIMp46
         IY1aq1HHpfF6YesWAtq6ss0PAsFXQi4hoRoIvfYq1ROaTzFArzUSP0Cxl89dkzaNmDPZ
         r+Gsdngixfq2lx+ffHDzL0oaqatzdRPZDFVNg=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.227.197.201 with SMTP id el9mr3318187wbb.22.1304293428492;
 Sun, 01 May 2011 16:43:48 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.227.60.211 with HTTP; Sun, 1 May 2011 16:43:48 -0700 (PDT)
In-Reply-To: <20110501233108.GB3632@hrair>
References: <4DBBCC6D.7080504@gentoo.org>
	<20110501100017.GE24801@gentoo.org>
	<20110501210831.GA2816@Eternity.halls.manchester.ac.uk>
	<20110501223325.GA3632@hrair>
	<20110501224906.GA4116@Eternity.halls.manchester.ac.uk>
	<pan.2011.05.01.23.23.40@cox.net>
	<20110501233108.GB3632@hrair>
Date: Sun, 1 May 2011 19:43:48 -0400
X-Google-Sender-Auth: XRmC20d7tiWsS74vtDxa9S-6i2w
Message-ID: <BANLkTik7JRa7GouSAGo4syaNMAgy-gz+Ag@mail.gmail.com>
Subject: Re: [gentoo-dev] Re: Devmanual text on ChangeLogs
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
X-Archives-Salt: 
X-Archives-Hash: a084fb681124c204cf690b783a48f44f

On Sun, May 1, 2011 at 7:31 PM, Brian Harring <ferringb@gmail.com> wrote:
> Get at that key, and you've got the tree, versus the current form,
> crack all signing keys and you've got the tree.

Well, more like get any one of the keys and you get the tree, since
portage only validates that a trusted key signed a package, and not
that the key belonged to the package maintainer.

In any case, the whole way that manifest signing works does not really
preserve a signature from end-to-end.  If I sign three files and
somebody else signs two files, they end up overwriting my signature.

So, if a mirror checks all the sigs, makes a change, and re-signs with
its own key that isn't much less secure than what we have now.  I
wouldn't actually distribute the work all the way to the mirrors
though - I'd have a central server generate the changelogs, sign them,
and then propagate that to the mirror network.  You just need to
protect that one server really well then.

If you really want to have dev->user trust with no broken links then
the signatures would need to be associated with each file - not just
the whole manifest.  Plus, the local portage would need to check the
metadata cache for consistency.

In any case, I see manifest signing as a relatively minor issue here.
It seems like the more fundamental debate is how much metadata we
really should be distributing all the way to end-user systems, vs
keeping it in a repository like a cvs log.  Sure, offline access is
useful, but the question is whether it is useful enough.

My personal feeling is that we should keep the changelogs as-is, and
include removals, until we're on git.  Then we should re-evaluate.

Rich