From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9812 invoked from network); 10 Nov 2004 04:53:54 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 10 Nov 2004 04:53:54 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CRkUT-00038V-3I for arch-gentoo-security@lists.gentoo.org; Wed, 10 Nov 2004 04:53:53 +0000 Received: (qmail 5644 invoked by uid 89); 10 Nov 2004 04:53:31 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 9965 invoked from network); 10 Nov 2004 04:53:31 +0000 Message-ID: <41919EC1.5010809@awry.ws> Date: Tue, 09 Nov 2004 20:53:21 -0800 From: Chris Haumesser User-Agent: Mozilla Thunderbird 0.9 (X11/20041108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org References: <20041110020620.F1ADE2B3DB@smtp.istop.com> <20041109233509.A19723@netdirect.ca> In-Reply-To: <20041109233509.A19723@netdirect.ca> X-Enigmail-Version: 0.86.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF7915CF268AC095A41039794" Subject: Re: [gentoo-security] Re: Out of air X-Archives-Salt: afbe89e5-4497-4d8a-a277-96e1cae9dcbd X-Archives-Hash: 1ad6041179b38dab1c825a214828ab6a --------------enigF7915CF268AC095A41039794 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Finally, a message I can fully agree with. As there is a quick and dirty solution to improve the situation -- even with the understanding that it is not the "best" or "ideal" solution -- I would encourage the gentoo devs to implement it. It really doesn't seem like rocket science. I do consider it a significant problem that I cannot accurately verify that everything in my portage tree came from a trusted source. Agreed, MOTM attacks are not common. However, it would seem important to have some sort of "audit trail" to verify that portage is what it's supposed to be. Not only is this good proactive security, but it might also prove useful in tracking the source of some security problem. An interim signing solution, as mentioned already in this list, would provide at least a mechanism (maybe not a great one, but one nonetheless) by which a user can verify that the files downloaded to his gentoo machine are those the developers intended to distribute. I trust the devs implicitly, but I do not trust, nor can I control, most of the points between them and me. I think ultimately the existing plan, to implement full gpg signing of each file in portage, is definitely the way to go. In the meantime, while the infrastructure is laid for the superior, longterm proposal, why not spend an hour to provide an interim, if not ideal, solution? Devs, what have you to lose by helping us do this? I don't think I understand the resistance, outside of the emotional reaction triggered by this thread's initiator. My $.02. -C- Chris Frey wrote: >On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote: > > >>>not prompted the beginning of a new initiative in signing the tree >>> >>> >>because that was already underway. I very much doubt that it'll speed >>up the progress made on that initiative, because the main limiting >>factor is time. No matter what is said here, it's not going to make >>anybody go out and quit their jobs in order to get tree signing >>implemented quicker. >> >> > >The problem with phrasing it this way is that it implies there is only >one way to address this issue. It may be true that Gentoo has decided >on only one way to address the issue, but there are other ways to do it. > >The current development effort that is underway is not one that can be >implemented overnight, but there is a solution that manages to satisfy >the core needs of this thread that can be implemented overnight. > >The requirements are: > > * admin access on the main Gentoo server > * a cron job > * a GPG key on the server > * a script to do the heavy lifting > >Of those items, only the script can be written by us normal users, >in order to help out in the Open Source way. The people with admin >access to the main Gentoo server do not appear willing to install such >a script, even if someone else writes it. (And I'm sure Peter would >jump at the chance to write it, and practically has already, and I'd >definitely be willing to help.) > >I asked this before, and saw no response, so maybe it was missed in the >pile of messages. I'll ask again: > > If someone posted a working and self-tested script to this mailing > list, would Gentoo admins be willing to install it, provided it > passed the peer review on this list? (i.e. contained no glaring bugs) > >If the answer was yes, this thread would be over. > >- Chris > > >-- >gentoo-security@gentoo.org mailing list > > > --------------enigF7915CF268AC095A41039794 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBkZ7M8NUDsZsaL7MRAqyMAJ9tvYEwmO7qPUrgpOOHouC7oBgL/ACgwopY UhO2zGgaZy65LqLygkPovQE= =bjBC -----END PGP SIGNATURE----- --------------enigF7915CF268AC095A41039794--