On Sat, 2006-05-20 at 10:13 +0200, Thierry Carrez wrote: > Patrick Lauer wrote: > > > Signing strategies > > ================== > > > > Once there is an agreement on what files to sign with what kind of keys > > there remains the question how to sign it. There are at least three > > strategies: > > [...] > > I prefer a semi-secure solution appearing soon rather than waiting > another three+ years for a potentially better solution. A staged plan might be best then: - implement a simple master-key signing - discuss the more complex distributed models - implement the distributed models if agreed upon
> Currently users only have two choices : > > - masterkey-signed portage snapshots > - unsigned (and so, insecure) rsync mirrors > > This is obviously not satisfying. Yes. It also gives us ~100 single points of attacks as every compromised rsync mirror could go undetected for a long time. > It has taken years to try to get per-developer signing implemented, > without success. We should try to do masterkey signing ("simple" method) > and see if we go somewhere. It's is so much better than nothing. There is no authority that "forces" signing. Making signing mandatory should not cause big problems now ... > So I would rather work on ensuring everything in portage gets properly > signed rather than designing key policies, cross-signing strategies and > ways to force developers to sign properly. Given the current state of > Gentoo it is a much more reachable goal. "properly signed" implies some standard or policy to measure it against. So we need to have some agreement what is needed to assure "properly signed everything" - it looks like the centralized masterkey model will have the smallest impact on all involved. Then we look at all issues this model has, try to fix all bugs - then we have a plan to implement, and I hope that this will happen in a reasonable timeframe. Patrick -- Stand still, and let the rest of the universe move
signature.asc
Description: This is a digitally signed message part