benjamin@y7xEHiGMGlivnCq-a8SpYU0YO-XRNI3LcJHB8tCeaXI wrote : > 2012-10-18 00:13 – > adilson_lanpo@8AEGotJKXJ4ABJy1gKjls4SrrzpshQNoEMAbu0IFA94: >> On Wed, 17 Oct 2012 15:47:43 -0000 >> Sadao@JXXNvLaHdNMysx7GmY5~L4aCoMuQV85oJM9OIqhkTR8 wrote: >>> toad-notrust@h2RzPS4fEzP0zU43GAfEgxqK2Y55~kEUNR01cWvYApI wrote: >>>> A lot of people wouldn't. IMHO the users have a right to know that I >>>> (or any other release manager) might be vulnerable. >>> You are a release manager of freenet. Only you know the SSK private >>> key to auto-update channel. You came up with the revocation key that >>> should disable auto-updates on all nodes. You sign every tag in the >>> git repository. You sign every jar you build. But those signatures >>> only make sense if others trust you. If they don't, signing anything >>> is pointless. I understand that you are vulnerable in theory, but I >>> would like to know what it means exactly. Will you do all you can to >>> protect other people who trust you if, say, a LEA agent came to you >>> and asked you to add a backdoor to freenet? Will you refuse to do it? >>> If they did it themselves and then you got the network access, will >>> you notify all users immediately and turn off auto-updates by >>> inserting a message to the revocation channel even under the threat >>> to be jailed? Can I expect that the situation when you know that >>> freenet has been backdoored and you have the possibility to notify >>> all users about it, but you don't do that (regardless of the reason) >>> will never happen? >> It would probably be a good idea for someone else outside the UK who >> wouldn't have to follow the proposed law to have the necessary keys >> (assuming that isn't already the case, it should be if it isn't and not >> just for the reasons this thread is about) and to change the keys should >> the UK pass a law requiring any freenet developer there to add backdoors >> (which would also provide any freenet developer in the UK the ability >> to deny that they have the ability to add a backdoor since others would >> have taken it away). > Sounds to me like the solution (provided that this proposed change > actually becomes UK law) would be to have a “compilation manager” > outside the UK. Toad would provide the consolidated sources for a > release, and this person would check the diffs, compile, and release the > binaries. It would have to be a well-known and reliable person. > > Problems that I see are slowing down the release process and not being > able to react as quickly in the case of urgent Freenet security flaws.
We could require an automated, multiple sign-off to the effect that the binary is compiled from the source (the tag on github). We could use a PSK sequence requiring multiple signatures: - Any release manager. He signs off on the source, and builds the binary. - A minimum number of signatures from volunteers' automated signer systems. Automated signer systems would essentially run verify-build (in a sandbox; we should provide a standard VM or something), and then provide a signature. The signatures would then be combined to do the insert. The signature is on the top of the jar file, since it becomes part of the PSK, so a blob of the full insert would need to be provided to the signer. The signer will refuse to sign if the build number is not greater than the previous build it signed. The signer will provide a full history of everything they have signed - inserted into Freenet and probably available on a web server too. The biggest problem with this is we need the automated signers to be: - Reliable, even if the network is broken. - Fast enough to deal with serious bugs quickly. - Not all run by the same person. All of these criteria are difficult. The seednodes list changes constantly, for example. Also it would appear that for now they are incompatible with the auto-signers being anonymous. Possibly we could have anonymous signers but be able to use non-anonymous signers in an emergency, in which case it would be documented. In an ideal world, releases would require sign-off by multiple developers on the source being released, after the developer in question has read over the diffs. Unfortunately this is not realistic at the moment. Oh and yes we do have more than one release manager. It's just that the others aren't actually involved in releases at the moment. However they could if I wasn't here and something needed dealing with urgently. I hope that in future they will deal with more of the mundane release management; I have a lot on my plate! The other problem with all this is it'd be fairly complex to set up, and may distract resources from more important things. This would be easier if we had some help ...
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
