Dnia 2015-08-15, o godz. 10:50:02 Andrew Savchenko <[email protected]> napisał(a):
> Hi, > > On Fri, 14 Aug 2015 10:54:57 -0400 Rich Freeman wrote: > > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand <[email protected]> > > wrote: > > > They will be OpenPGP signed by a releng key during thickening and > > > portage will auto-verify it using gkeys once things are in place. As > > > such checksum for ebuilds and other files certainly needs to be part > > > of the manifest, otherwise it can open up for malicious alterations of > > > these files. > > > > > > > As much as I'd love to see it all folded into git, the reality is also > > that git signatures are only bound to files by a series of sha1 > > hashes, and sha1 is not a strong hash function. Git really ought to > > move to sha256 at some point, preferably in a manner that makes it > > expandable in the future to other hash functions. But, this isn't a > > high-priority for upstream. > > > > The same limitation is true of any git gpg signature, including tag > > signatures. It is all held together by sha1. The manifest system is > > much stronger. > > OK, if manifests are that important, why not generate full manifest > during repoman commit? If we do not tamper with $Id$, the only file > outside of this manifest will be ChangeLog generated during rsync > propagation. Then we have following options: > - do not sing ChangeLog: even if it will be tampered, little harm > can be done, since it doesn't affect live system or build process; > - sign ChangeLog with releng key; > - sign developer-signed manifest + ChangeLog with releng key. Thus > we'll have double signature for most important files. How about we switch back to CVS if we're going to kill git anyway? It'd at least save our time wasted by these pointless discussions. -- Best regards, Michał Górny <http://dev.gentoo.org/~mgorny/>
pgpM5u1sfDvBO.pgp
Description: OpenPGP digital signature
