On 03/08/2015 08:02 AM, Mark Kubacki wrote: > On 03/06/2015 09:50 AM, Mark Kubacki wrote: >> >> And by default you cannot compare the result with any authoritative source. > > 2015-03-08 0:26 GMT+01:00 Zac Medico <zmed...@gentoo.org>: >> >> Ideally, we can rely on security mechanisms built into git [1], possibly >> involving signed commits. > > Some brownfield thinking here, without GIT and not replacing GIT: > > 1. Find and compile all directories two levels deep in a file > "category.idx" and sign it. > 2. Sign every Manifest. > 3. Distribute that as usual. > > Will need N+1 checks (N × Manifest + 1 × category present/missing) and > doesn't break anything already deployed.
I think it's an unnecessary expenditure of effort to implement our own Merkle tree, considering that git's Merkle tree is good enough for the time being, and will likely implement stronger security soon enough. > Contributors (individuals, teams) need to provide a public key before > submitting, and the "mirror source" (authority) just checks against > the author's signature Ideally, this signature check would be implemented as a server-side git hook, so that a push would be automatically rejected if any of the pushed commits lacked a good signature. > and signs (1) and (2) with its own key > ("official portage tree root key X"). That way, in the end, it's > enough to announce only one signing key for every tree. Or just rely on signed commits in git. We can automatically generate an empty signed commit with the root key every 30 minutes or something like that. > (It's easier with binhosts, because all you need to sign is "Packages{,gz}".) Yes, much easier. We might also want to embed signatures directly in each binary package, so that they can be independently verified without needing a copy of the original Packages file. -- Thanks, Zac