[gentoo-dev] Re: Manifest signing

[Duncan <1i5t5.duncan@cox.net>]

Fabian Groffen posted on Thu, 29 Sep 2011 17:09:57 +0200 as excerpted:

> On 29-09-2011 11:02:17 -0400, Anthony G. Basile wrote:
>> The issue of Manifest signing came up in #gentoo-hardened channel ...
>> again.  Its clearly a security issue and yet many manifests in the tree
>> are still not signed.  Is there any chance that we can agree to reject
>> unsigned manifests?  Possibly a question for the Council to adjudicate?
> 
> Please refer to Mike's thread on this.
> 
> http://archives.gentoo.org/gentoo-dev/
msg_7210bc8a18140db8f18ff89245efacd5.xml

Every time this comes up, it gets a bunch of discussion, perhaps a few 
more people start signing (but with dev turnover, I really don't know if 
it gets better over time), and eventually the issue goes back to sleep.

I have a feeling something similar was happening for kernel.org security 
discussions.  Let's not be them in this regard.

In that old thread, the only real issue other than "just doing it" that I 
saw raised was that of the two-stage commit thing.  AFAIK in theory, that 
allows a rather nasty DoS attack, so it does need dealt with, tho a DoS 
worst-case is already better than the current worst-case.

Beyond that, IMO it's now at the "needs a proposal champion to clean it 
up and present it to the council" stage, at least at the "council 
declared priority" level for getting the requirements into repoman, the 
CVS server, and perhaps the PMs (I don't know what stage they're at, 
possibly all they need is a switch flipped?).

Talking about which, at the PM user level, is there a per-repo/overlay 
switch?  If not, it should strongly be considered.

With a proposal champion and a council declared priority, hopefully 
within the year, "the switch" would be ready to be flipped, and a second 
council vote could be taken to flip it.

But, someone with the domain knowledge, both of GPG and of the PMs and 
commit process, needs to step up as the proposal champion and guide it 
thru.  It seems to me we're "almost there", and this is what's needed 
now, for that final push.

In my book, that champion would stand up there along with WilliamH for 
being the guy that finally pushed OpenRC thru to stability (absolutely 
not without the help of others, of course, but it took someone to step up 
and actually be the champion that pushed it thru).  That's not an 
insignificant thing to be able to put on one's CV, BTW, that you were the 
proposal champion that helped with the final push toward tree signing and 
thus general tree security for a community distro like Gentoo. =:^)

Meanwhile, seems to me that Google, et al. could well have sufficient 
interest in this, given Gentoo's status as upstream, to sponsor hardware, 
etc, if needed.

And I'm sure the Gentoo/PR folks would a WHOLE lot rather deal with an 
announcement that Gentoo's tree is now signed and that the PMs now reject 
unsigned by default, BEFORE having to deal with an announcement along the 
lines of kernel.org's recent ones, instead of AFTER. =:\

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman