From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NGJyR-0002JF-6C for garchives@archives.gentoo.org; Thu, 03 Dec 2009 22:16:31 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CCD9FE0980 for ; Thu, 3 Dec 2009 22:16:30 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C3A99E0730 for ; Thu, 3 Dec 2009 20:35:46 +0000 (UTC) Received: from mail.isohunt.com (b01.ext.isohunt.com [208.71.112.51]) by smtp.gentoo.org (Postfix) with ESMTP id 378AC67F9E for ; Thu, 3 Dec 2009 20:35:46 +0000 (UTC) Received: (qmail 13488 invoked from network); 3 Dec 2009 20:35:39 -0000 Received: from tsi-static.orbis-terrarum.net (HELO grubbs.orbis-terrarum.net) (76.10.188.108) by mail.isohunt.com (qpsmtpd/0.33-dev on beta01) with (CAMELLIA256-SHA encrypted) ESMTPS; Thu, 03 Dec 2009 20:35:39 +0000 Received: (qmail 8120 invoked by uid 10000); 3 Dec 2009 20:35:37 -0000 Date: Thu, 3 Dec 2009 20:35:37 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Individual developer signing Message-ID: References: <7c612fc60911251350k3560b7d7sf4e9c867a30b0d90@mail.gmail.com> <20091130113051.GA32489@chopin.edu.pl> <4B14369D.1040608@gentoo.org> <20091203103242.GA6316@veller.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091203103242.GA6316@veller.net> User-Agent: Mutt/1.5.20 (2009-06-14) X-Archives-Salt: 9a316030-12fe-4304-8bbf-c630977742be X-Archives-Hash: 0df1da0d4435028399602ad1c9cc91ce On Thu, Dec 03, 2009 at 11:32:42AM +0100, Torsten Veller wrote: > * "Robin H. Johnson" : > > The GLEP on Individual developer signing has not made it into a Draft > > yet. > > > > But you can view the very brief version here: > > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup > > [...] > > > > 2. Every developer signs everything 100% of the time (make it a QA > > > check). > > +1 on this. > > In the GLEPs i missed the point where the signatures of Manifests are verified. > Only the MetaManifest gets verified. GLEP58: under "Procedure for verifying an item in the MetaManifest" 4.2: "M2-verifying the contents of the Manifest." Where "M2-verify" is the verb describing the verification of a Manifest. It _may_ include signature validation. > So what's the advantage of individually signed Manifests? Basically making sure that your SSH keys weren't stolen. They explicitly protect the commit from the developer to infrastructure. MetaManifest protects the integrity of the contents from infrastructure out to the user. It does NOT validate the functionality of the tree or any prior injection. > The only thing we can check: Is the key used for signing listed in ldap > (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap > really mine? > Do I miss anything? Later on I'd like to REJECT unsigned commits. > BTW: About a third of the Manifests are signed [1]. We didn't improve > since 2005/2006 [2]. The two parties are working hard against each other [3]. > 55 Manifests are signed by revoked keys [4]. > [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png > [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png > [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png > [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt Nice graphs. Can you show them over a larger timespan? -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85