On Sat, 15 Aug 2015 09:53:37 +0200 Michał Górny wrote: > Dnia 2015-08-15, o godz. 10:50:02 > Andrew Savchenko <[email protected]> napisał(a): > > > Hi, > > > > On Fri, 14 Aug 2015 10:54:57 -0400 Rich Freeman wrote: > > > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand <[email protected]> > > > wrote: > > > > They will be OpenPGP signed by a releng key during thickening and > > > > portage will auto-verify it using gkeys once things are in place. As > > > > such checksum for ebuilds and other files certainly needs to be part > > > > of the manifest, otherwise it can open up for malicious alterations of > > > > these files. > > > > > > > > > > As much as I'd love to see it all folded into git, the reality is also > > > that git signatures are only bound to files by a series of sha1 > > > hashes, and sha1 is not a strong hash function. Git really ought to > > > move to sha256 at some point, preferably in a manner that makes it > > > expandable in the future to other hash functions. But, this isn't a > > > high-priority for upstream. > > > > > > The same limitation is true of any git gpg signature, including tag > > > signatures. It is all held together by sha1. The manifest system is > > > much stronger. > > > > OK, if manifests are that important, why not generate full manifest > > during repoman commit? If we do not tamper with $Id$, the only file > > outside of this manifest will be ChangeLog generated during rsync > > propagation. Then we have following options: > > - do not sing ChangeLog: even if it will be tampered, little harm > > can be done, since it doesn't affect live system or build process; > > - sign ChangeLog with releng key; > > - sign developer-signed manifest + ChangeLog with releng key. Thus > > we'll have double signature for most important files. > > How about we switch back to CVS if we're going to kill git anyway? It'd > at least save our time wasted by these pointless discussions.
I don't understand your point. Please explain. I see nobody here talking about killing git. I see people concerned that git is not cryptographically secure enough, thus looking for gpg-signed manifests or other solutions. Best regards, Andrew Savchenko
pgpbJNSJbcTzZ.pgp
Description: PGP signature
