On 03/08/2015 08:02 AM, Mark Kubacki wrote:
> On 03/06/2015 09:50 AM, Mark Kubacki wrote:
>>
>> And by default you cannot compare the result with any authoritative source.
>
> 2015-03-08 0:26 GMT+01:00 Zac Medico <zmed...@gentoo.org>:
>>
>> Ideally, we can rely on security mechanisms built into git [1], possibly
>> involving signed commits.
>
> Some brownfield thinking here, without GIT and not replacing GIT:
>
> 1. Find and compile all directories two levels deep in a file
> "category.idx" and sign it.
> 2. Sign every Manifest.
> 3. Distribute that as usual.
>
> Will need N+1 checks (N × Manifest + 1 × category present/missing) and
> doesn't break anything already deployed.
I think it's an unnecessary expenditure of effort to implement our own
Merkle tree, considering that git's Merkle tree is good enough for the
time being, and will likely implement stronger security soon enough.
> Contributors (individuals, teams) need to provide a public key before
> submitting, and the "mirror source" (authority) just checks against
> the author's signature
Ideally, this signature check would be implemented as a server-side git
hook, so that a push would be automatically rejected if any of the
pushed commits lacked a good signature.
> and signs (1) and (2) with its own key
> ("official portage tree root key X"). That way, in the end, it's
> enough to announce only one signing key for every tree.
Or just rely on signed commits in git. We can automatically generate an
empty signed commit with the root key every 30 minutes or something like
that.
> (It's easier with binhosts, because all you need to sign is "Packages{,gz}".)
Yes, much easier. We might also want to embed signatures directly in
each binary package, so that they can be independently verified without
needing a copy of the original Packages file.
--
Thanks,
Zac
