Hi, On Sun, 13 Dec 2015 18:36:51 +0100 Patrick Lauer wrote: > Oh hey. We're in the future. Let's try to commit something to > repo/gentoo.git! > > So apparently we're signing things with gpg now, so let's read the > official documentation. > The [1] wiki seems to be the canonical location for such things. > > Oh dear. The layout is VERY broken. See [2]. Which redirects to [3], > which is a duplicate of [4], which has been closed because apparently > the persons responsible don't understand how to internet. > Since this bug is only about a year old I don't expect any progress soon > - but fetching random crap from untrusted hosts is not a sane option. > Especially since there is already a webserver, which is also trusted, so > I'm confused why we're still having this conversation. > > But hey, let's blindly fetch CSS from unknown, just to notice that this > 'theme' needs JavaScript to display properly. Because reasons. > > Why would I want to blindly execute code when reading the text of a > wiki? Because, reasons. Because, future!
I agree with you that wikification of the documentation brings security risks, especially due to sourcing of not-so-trusted resources. But anyway wiki is just docs, one can read them in any isolation environment of choise. Of course, javascript powered L3 cache attack may extract ones git key, this kind of attack may happen from any js-enabled site. So if someone prefers to go for such high security levels, a physically isolated box should be used for git purposes only — and this is what Linus does IIRC. Rackcdn js is not an additional risk in real-life conditions IMO. Also wiki is barely readable in the lightweigth (and rather secure due to lack of extra functions) browsers like elinks or lynx. This irritates me, but is still tolerable in this imperfect world. > Since signing is mandatory since the git migration, ahem, this means > that no one in the last 5 months(!) actually followed the documentation > (because that does NOT work!). I'm almost impressed, but, wow, this is > enterprisey. It is absolutely possible to create correct gpg key, put it into LDAP according to GLEP and to sign commits and pushes properly. What is not currently possible is to verify all tree automatically. I agree that gkeys needs more work. But we are all volunteers here. You may help them if you are that interested into this functionality. What worries me more that we still have no way for rsync users to verify the portage tree (or Gentoo tree in the newspeak someone prefers here). And most users use rsync. > So, what can we do to make this whole story of 'commit (and push) to > repo/gentoo.git' make sense? And why do I appear to be the only one to > notice this chain of breakage?! We need to complete gkeys project, right? That's not all of the story, but a start. So send patches :) As for the full story, we still need to somehow verify rsync tree. For now only snapshots are verified. Best regards, Andrew Savchenko
pgpdUcOcxpXcW.pgp
Description: PGP signature
