From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RM6QT-0003hv-49 for garchives@archives.gentoo.org; Thu, 03 Nov 2011 23:10:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ACF2321C0A3; Thu, 3 Nov 2011 23:10:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id E59E821C09A for ; Thu, 3 Nov 2011 23:09:31 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 50A0B64223 for ; Thu, 3 Nov 2011 23:09:31 +0000 (UTC) Received: (qmail 602 invoked by uid 10000); 3 Nov 2011 23:09:30 -0000 Date: Thu, 3 Nov 2011 23:09:30 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Manifest signing Message-ID: References: <4E848879.2050100@gentoo.org> <4EB13189.4000500@groeper-berlin.de> <4EB30DE8.8010005@groeper-berlin.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EB30DE8.8010005@groeper-berlin.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 4772fa1c-3208-4c85-b9bc-4986a8053bf8 X-Archives-Hash: 421b8e9ef6170df9f650af792e492871 On Thu, Nov 03, 2011 at 10:55:52PM +0100, enno+gentoo@groeper-berlin.de wrote: > >> If it is (also) for the users, why is there no code for it in portage > >> anymore [3]? > > Hmm, I hadn't see that removal, but it makes sense unless the entire > > tree is developer-signed, which isn't likely to happen soon. > I don't agree here. Of course the implementation shouldn't stop the user > from installing an unsigned package at the moment. But it could give a > warning instead and ask the user what to do. > In this way developers are encouraged to sign their packages (to make > the warning go away) and users get the ability to check the signatures, > that already exist. > Key problem here is the Gentoo keyring (how to ensure it didn't get > manipulated). Distributing the keyring itself signed is how Debian does it IIRC. > > There's a chicken & egg problem with most signing. You need to > > communicate the valid keys out of band from the actual repo. > > Maybe the layman data is a good place for that, but until such a > > location is figured out, you have zero security gain (if the 'correct' > > keys are only listed in a file in the repo, any attacker just replaces > > that when he puts his other content in). > Of course. But security is always worth thinking about it. > First step: What are the possibilities the check the signatures? FAIL. > In my case some (most?) of the users of my overlay should know my GPG > key already. The web of trust works here. The drawback for possible > other users would be a false sense of security. That's why I say the gpg key should be in the layman data. Overlays team, do you think this is reasonable? > > There was a prototype keyserver at one point as well, and I can generate > > new keyrings if needed based on the LDAP data. > This could be okay for a first creation. Later I would prefer something > like Debian does: > http://keyring.debian.org/replacing_keys.html > That way you would decouple the LDAP and the keyring and trust only the > data, that is already in the keyring (somebody whose key is already in > the keyring signing the request for a new key). > See also: http://keyring.debian.org/ > Perhaps the prototype keyserver already did something like that. The Debian model was discussed, and the main problem was finding enough people to sign the keys near all of the devs, esp. if you require meeting in person. You need two factors to be able to change your GPG key on file anyway. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85