On Sat, 2006-05-20 at 10:13 +0200, Thierry Carrez wrote: > Patrick Lauer wrote: > > > Signing strategies > > ================== > > > > Once there is an agreement on what files to sign with what kind of keys > > there remains the question how to sign it. There are at least three > > strategies: > > [...] > > I prefer a semi-secure solution appearing soon rather than waiting > another three+ years for a potentially better solution. A staged plan might be best then: - implement a simple master-key signing - discuss the more complex distributed models - implement the distributed models if agreed upon
> Currently users only have two choices :
>
> - masterkey-signed portage snapshots
> - unsigned (and so, insecure) rsync mirrors
>
> This is obviously not satisfying.
Yes. It also gives us ~100 single points of attacks as every compromised rsync
mirror could go undetected for a long time.
> It has taken years to try to get per-developer signing implemented,
> without success. We should try to do masterkey signing ("simple" method)
> and see if we go somewhere. It's is so much better than nothing.
There is no authority that "forces" signing.
Making signing mandatory should not cause big problems now ...
> So I would rather work on ensuring everything in portage gets properly
> signed rather than designing key policies, cross-signing strategies and
> ways to force developers to sign properly. Given the current state of
> Gentoo it is a much more reachable goal.
"properly signed" implies some standard or policy to measure it against.
So we need to have some agreement what is needed to assure "properly
signed everything" - it looks like the centralized masterkey model will
have the smallest impact on all involved. Then we look at all issues
this model has, try to fix all bugs - then we have a plan to implement,
and I hope that this will happen in a reasonable timeframe.
Patrick
--
Stand still, and let the rest of the universe move
signature.asc
Description: This is a digitally signed message part
