Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: "William L. Thomson Jr." <wlt-ml@o-sinc.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
Date: Thu, 10 Aug 2017 13:08:20 -0400	[thread overview]
Message-ID: <assp.03952b3015.20170810130820.58a3ca70@o-sinc.com> (raw)
In-Reply-To: <34bfb349-853a-8a75-c095-6f0891f18112@gentoo.org>

[-- Attachment #1: Type: text/plain, Size: 1846 bytes --]

On Thu, 10 Aug 2017 13:33:54 +1000
"Sam Jorna (wraeth)" <wraeth@gentoo.org> wrote:
>
> This is no greater risk than syncing from a potentially compromised
> mirror. You would use a mirror you trust and, similarly (perhaps even
> more so) you would use a binhost you trust.

Getting a bit ridiculous now. Let me get my tin foil hat.

So your suggesting Gentoo mirrors are could be compromised? Your saying
that Gentoo repo gets compromised. Which then leaks out onto mirrors. If
a mirror is compromised, clearly it would not match up to other mirrors
or the master Gentoo repo. All with no one in the world noticing. Not a
likely scenario.

Lets go down this rabbit hole. Lets say Gentoo repo was compromised.
You simply look at upstream sources and their hashes. If Gentoo
mirrored sources do not match up to upstream. Then you know something
is wrong.

Thus you have many ways to verify, pull from mirror, compare to mirror,
compared to master Gentoo repo, compare to upstream. None of that can
be done with a binpkg. There are no public binhost. There is no
official Gentoo binhost. That is something people setup.

They may trust their own binhost. But to imply that is more trust
worthy than public stuff that is in more than one verifiable location
against 3rd parties. That logic does not hold up.

> It does raise the idea of some form of signing of the Packages file,
> similar to gpg-signed portage snapshots, but that's moving well beyond
> the scope of this thread.

That still would never give you any 3rd party verification. Why do we
not self sign certificates? Why are those not trusted? Trust tends to
come from 3rd parties.

Even GPG relies on a WOT, without that its pointless. An unsigned GPG
key is pretty worthless. Signing stuff with that means nothing.

-- 
William L. Thomson Jr.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

next prev parent reply	other threads:[~2017-08-10 17:08 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-08 16:37 [gentoo-dev] Prevent binary/non-compiled packages from binary package creation William L. Thomson Jr.
2017-08-08 16:53 ` Rich Freeman
2017-08-08 17:11 ` Kristian Fiskerstrand
2017-08-08 17:18   ` Rich Freeman
2017-08-08 17:32     ` Michał Górny
2017-08-08 17:33     ` William L. Thomson Jr.
2017-08-08 17:23   ` William L. Thomson Jr.
2017-08-08 17:32     ` Kristian Fiskerstrand
2017-08-08 18:20       ` William L. Thomson Jr.
2017-08-08 18:41         ` William L. Thomson Jr.
2017-08-09  0:29         ` Sam Jorna (wraeth)
2017-08-09  0:43           ` William L. Thomson Jr.
2017-08-09  1:07             ` Sam Jorna (wraeth)
2017-08-09 15:33               ` William L. Thomson Jr.
2017-08-09 20:23                 ` Francesco Riosa
2017-08-09 20:35                   ` William L. Thomson Jr.
2017-08-10  0:50                     ` Sam Jorna (wraeth)
2017-08-10  1:42                       ` William L. Thomson Jr.
2017-08-10  3:33                         ` Sam Jorna (wraeth)
2017-08-10 17:08                           ` William L. Thomson Jr. [this message]
2017-08-10 23:58                             ` Sam Jorna (wraeth)
2017-08-10  1:25             ` Sam Jorna (wraeth)
2017-08-10  1:47               ` William L. Thomson Jr.
2017-08-10  1:56                 ` Sam Jorna (wraeth)
2017-08-08 17:34     ` Ian Stakenvicius
2017-08-08 18:10       ` William L. Thomson Jr.
2017-08-08 18:15         ` Kristian Fiskerstrand
2017-08-08 18:33           ` William L. Thomson Jr.
2017-08-09 20:42 ` William L. Thomson Jr.
2017-08-10 23:30 ` [gentoo-dev] " Duncan
2017-08-11  2:06   ` William L. Thomson Jr.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=assp.03952b3015.20170810130820.58a3ca70@o-sinc.com \
    --to=wlt-ml@o-sinc.com \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox