From: Zac Medico <zmedico@gentoo.org>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers
Date: Sat, 07 Mar 2015 18:31:44 -0800 [thread overview]
Message-ID: <54FBB490.4010507@gentoo.org> (raw)
In-Reply-To: <20150307172405.388c0fa4.dolsen@gentoo.org>
On 03/07/2015 05:24 PM, Brian Dolbec wrote:
> On Sat, 07 Mar 2015 15:26:26 -0800
> Zac Medico <zmedico@gentoo.org> wrote:
>
>> On 03/06/2015 09:50 AM, Mark Kubacki wrote:
>>> We're on the same side here.
>>>
>>> Do we have numbers showing the ratio "portage used with defaults"
>>> vs. where "[webrsync-gpg] is described in many hardening guides for
>>> gentoo and widely used among the security conscious" applies?
>>>
>>> DNS not being encrypted is just painting the whole picture. Point
>>> is, the default is that "emerge --sync" results in a transfer using
>>> RSYNC (or http).
>>>
>>> And by default you cannot compare the result with any authoritative
>>> source.
>>>
>>
>> Ideally, we can rely on security mechanisms built into git [1],
>> possibly involving signed commits.
>>
>> [1] https://github.com/gentoo/gentoo-portage-rsync-mirror
>
>
> Actually, git makes it nearly impossible to get the correct info
> required to re-process the git commit signature. It is all embedded
> into the commit itself, but not in a way for gpg to be able to
> re-verify it. Git relies on the issuer's gpg verification status which
> it records in it's data before the push. So, without some major
> hacking on git data, it is not viable for routine verification purposes.
Maybe we can use the relatively recently added git verify-commit command
[1]. If we run that command with --verbose, then we can use that to
verify that that a commit was signed with a trusted key. Shouldn't
verification of the HEAD commit be enough to vouch for the integrity of
the entire tree?
[1]
https://github.com/git/git/commit/d07b00b7f31d0cb6675b4bdba269ce7f087ddd24
--
Thanks,
Zac
next prev parent reply other threads:[~2015-03-08 2:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-05 14:49 [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers Patrick Schleizer
2015-03-05 15:30 ` Rick "Zero_Chaos" Farina
2015-03-05 19:14 ` Patrick Schleizer
2015-03-06 0:56 ` Rick "Zero_Chaos" Farina
2015-03-06 13:53 ` Mark Kubacki
2015-03-06 15:20 ` Rick "Zero_Chaos" Farina
2015-03-06 16:13 ` Brian Dolbec
2015-03-06 17:50 ` Mark Kubacki
2015-03-07 23:26 ` Zac Medico
2015-03-08 1:24 ` Brian Dolbec
2015-03-08 2:31 ` Zac Medico [this message]
2015-03-08 5:44 ` Brian Dolbec
2015-03-08 14:59 ` Patrick Schleizer
2015-03-08 20:10 ` Zac Medico
2015-03-08 15:02 ` Mark Kubacki
2015-03-08 21:02 ` Zac Medico
2015-03-06 15:43 ` Patrick Schleizer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FBB490.4010507@gentoo.org \
--to=zmedico@gentoo.org \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox