Re: [gentoo-security] Re: Out of air

[Chris Haumesser <ch@awry.ws>]

[-- Attachment #1: Type: text/plain, Size: 3452 bytes --]

Finally, a message I can fully agree with.

As there is a quick and dirty solution to improve the situation -- even 
with the understanding that it is not the "best" or "ideal" solution -- 
I would encourage the gentoo devs to implement it.  It really doesn't 
seem like rocket science.

I do consider it a significant problem that I cannot accurately verify 
that everything in my portage tree came from a trusted source.  Agreed, 
MOTM attacks are not common.  However, it would seem important to have 
some sort of "audit trail" to verify that portage is what it's supposed 
to be.  Not only is this good proactive security, but it might also 
prove useful in tracking the source of some security problem.

An interim signing solution, as mentioned already in this list, would 
provide at least a mechanism (maybe not a great one, but one 
nonetheless) by which a user can verify that the files downloaded to his 
gentoo machine are those the developers intended to distribute.

I trust the devs implicitly, but I do not trust, nor can I control, most 
of the points between them and me.

I think ultimately the existing plan, to implement full gpg signing of 
each file in portage, is definitely the way to go.  In the meantime, 
while the infrastructure is laid for the superior, longterm proposal, 
why not spend an hour to provide an interim, if not ideal, solution?

Devs, what have you to lose by helping us do this?  I don't think I 
understand the resistance, outside of the emotional reaction triggered 
by this thread's initiator.


My $.02.


-C-




Chris Frey wrote:

>On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote:
>  
>
>>>not prompted the beginning of a new initiative in signing the tree
>>>      
>>>
>>because that was already underway. I very much doubt that it'll speed
>>up the progress made on that initiative, because the main limiting
>>factor is time. No matter what is said here, it's not going to make
>>anybody go out and quit their jobs in order to get tree signing
>>implemented quicker.
>>    
>>
>
>The problem with phrasing it this way is that it implies there is only
>one way to address this issue.  It may be true that Gentoo has decided
>on only one way to address the issue, but there are other ways to do it.
>
>The current development effort that is underway is not one that can be
>implemented overnight, but there is a solution that manages to satisfy
>the core needs of this thread that can be implemented overnight.
>
>The requirements are:
>
>	* admin access on the main Gentoo server
>	* a cron job
>	* a GPG key on the server
>	* a script to do the heavy lifting
>
>Of those items, only the script can be written by us normal users,
>in order to help out in the Open Source way.  The people with admin
>access to the main Gentoo server do not appear willing to install such
>a script, even if someone else writes it.  (And I'm sure Peter would
>jump at the chance to write it, and practically has already, and I'd
>definitely be willing to help.)
>
>I asked this before, and saw no response, so maybe it was missed in the
>pile of messages.  I'll ask again:
>
>	If someone posted a working and self-tested script to this mailing
>	list, would Gentoo admins be willing to install it, provided it
>	passed the peer review on this list?  (i.e. contained no glaring bugs)
>
>If the answer was yes, this thread would be over.
>
>- Chris
>
>
>--
>gentoo-security@gentoo.org mailing list
>
>  
>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]