From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1ScxW5-00012H-67 for garchives@archives.gentoo.org; Fri, 08 Jun 2012 11:38:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 60521E077A; Fri, 8 Jun 2012 11:37:50 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 6D002E05F8 for ; Fri, 8 Jun 2012 11:36:57 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so1965446bkc.40 for ; Fri, 08 Jun 2012 04:36:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=JcPLU8zGRyUZ6QSSb5k+/ExAqLzjusIOtBuXcq9qWAw=; b=H8lvw86rsvfj2pWawRtotiJatbBcQ0n6NQz5zvHllO01HJXsRPu0TQFQlIgirjXO8d 5o9l4vMwx2Q9XNPAqqcP3PVcLZjiE+Cki6ouphHi9MQXDmo3Bk0D15nQlH0BjT1ip2XE IDVn/d+X/ecpQgw1m4Zk8EDxiN2hEyh+iDH1gvc+mL9yPwQonnv8ljaSXKqE/qID31Ik +8l9mdEuOVVSwQQ2Xued0A4sTu/pvEWAKPNIZTPa1M8eRaWEw7VgH1a3QBOQ8vi2BiMc HkY6418e5qPdYiLf18buQbW+Q/1O079PL/RLFUCriZiYf7wnj+s1dJoteHkOYC4U0MR8 xf9w== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.149.216 with SMTP id u24mr5888049bkv.36.1339155416497; Fri, 08 Jun 2012 04:36:56 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.149.211 with HTTP; Fri, 8 Jun 2012 04:36:56 -0700 (PDT) In-Reply-To: <20120608110155.GA15249@odin.tremily.us> References: <20120604191000.GA3692@localhost> <20120604204132.GB3692@localhost> <20120608110155.GA15249@odin.tremily.us> Date: Fri, 8 Jun 2012 07:36:56 -0400 X-Google-Sender-Auth: rNH9Y8a5YLhe7Vm2GcBfLNlDAi4 Message-ID: Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 1bda4edf-8570-4651-94c6-01ffed3ee75f X-Archives-Hash: b8633165baa578e7dbf19f62987702af On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King wrote: > When the breach is discovered, you can then isolate the dev (or devs) > who implicitly signed the hack (2) by pulling the ToT without checking > for a valid signature (3). =A0Then you yell at them for sloppy security, > and tell them to install your signature-checking post-receive hook. Well, if devs are supposed to do this, we should probably write this down as a policy somewhere. Probably wouldn't hurt if the post-receive hook actually existed, and it was designed to only work on the official tree otherwise everybody will just uninstall it since people don't just pull from the official tree. I doubt any dev checks the signatures on manifest files before they overwrite them with a new signature. If they did it wouldn't matter since those signatures aren't even mandatory anyway. Certainly it isn't intuitive to me that when I perform a signature on changes I make that I'm also vouching for work committed by somebody else before me. Process can be as effective as technology in achieving security, but only if those processes are clear, and unintrusive enough to ensure they are followed. I wouldn't count on being able to yell at developers - first it does nothing to solve the mess that you'd be in at that point, and second you can only yell at volunteers so much. Rich