Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

Is anybody else worried about this? (was: Trojan for Gentoo, part 2)

 

 

First page Previous page 1 2 Next page Last page  View All Gentoo security RSS feed   Index | Next | Previous | View Threaded


klieber at gentoo

Nov 7, 2004, 6:19 PM

Post #26 of 27 (420 views)
Permalink
Re: Re: Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2) [In reply to]

On Sun, Nov 07, 2004 at 08:03:36PM -0500 or thereabouts, Chris Frey wrote:
> I just downloaded a fresh portage tree to take a look, and I notice
> that signatures are making their way into the Manifest files. Is this
> an automated process? If so, can we expect all the Manifest files to
> soon be signed?

It's largely automated, yes. It still requires the developer committing
the ebuild to take the time to set up their system appropriately. A doc
explaining the necessary steps is available here:

http://dev.gentoo.org/~genone/docs/manifest-signing.txt

> Wouldn't it be sufficient to put a Manifest file in the eclass/ directory
> and sign it as well?

Entirely possible. I'm not a python programmer, so I don't know how
hard/easy this would be to implement.

> I note you mention this often, and I do appreciate the need for people
> to join in and help out. The main roadblock to implementing new signing
> procedures, for the outsider, is that it requires access to the server
> to implement the signing, or it requires participation from all devs,
> depending on the method chosen.
>
> Given this roadblock, I don't think it is completely fair to lay this job
> at users' feet.

I'm not laying anything at anyone's feet. What I'm trying to say is that
the only way this problem will ever get fixed is if someone who cares about
it devotes the time to fixing it.

> What I'm trying to say is that signing doesn't have to be implemented for
> the end user in portage before it is implemented on the server. Once the
> signatures are available on the server, all this talk would go away, and
> those that are concerned would do the checks, and those that aren't
> wouldn't. The concerned would likely share their checking scripts as well.

Back when signing was first being discussed, a conscious decision was made
to avoid server-based signing, specifically because it was felt that
offered a false sense of security. It didn't ensure integrity between the
developer's machine and the master cvs repository. Per-dev signing, on the
other hand, did.

Thus, the current signing model in portage requires each dev to sign their
own stuff and I don't think veering away from that strategy simply to
implement something in a hurry is a very wise choice.

Also, signing things on the server isn't as easy as folks have made it out
to be. A simple cron'd find command isn't going to cut it. Every time a
dev commits something to CVS, a new signature for that file has to be
generated immediately. Otherwise, 30 minutes later, you're going to have
problems when those changes make their way out to the rsync tree. Thus,
it's going to have to be integrated into repoman which means changes to
portage.

> So, I'm quite happy that there are experimental features in portage that
> deal with this, but I'd be even happier if every Manifest file in the
> portage tree was signed, even if portage code didn't do the checks yet.

Signing of ebuilds is coming. The foundation is being laid and, once that
is stabilized, the push to get all devs to sign their ebuilds will
commence.

--kurt


genone at gentoo

Nov 8, 2004, 1:12 PM

Post #27 of 27 (421 views)
Permalink
Re: Re: Is anybody else worried about this? [In reply to]

On 07 Nov 2004 19:51:17 +0100
Peter Simons <simons [at] cryp> wrote:

> Marc Ballarin writes:
>
> > I explicitly said that signing should be implemented!
>
> Then what are we waiting for?

Ebuild signing is implemented already (it's not mandatory yet though),
signing of eclasses/profiles isn't done because of policy details (e.g.
do we need multiple sigs per eclass, would a single Manifest for all
eclasses be sufficient, ...)
But signature verification is a completely different beast.

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

First page Previous page 1 2 Next page Last page  View All Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.