[gentoo-dev] Individual developer signing

[Torsten Veller]

* Robin H. Johnson robb...@gentoo.org:
 The GLEP on Individual developer signing has not made it into a Draft
 yet.
 
 But you can view the very brief version here:
 http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup

[...]

  2.  Every developer signs everything 100% of the time (make it a QA
  check).
 +1 on this.

In the GLEPs i missed the point where the signatures of Manifests are verified.
Only the MetaManifest gets verified.

So what's the advantage of individually signed Manifests?

The only thing we can check: Is the key used for signing listed in ldap
(and thus in the keyring of automated Gentoo keys)? Are the keys in ldap
really mine?

Do I miss anything?


BTW: About a third of the Manifests are signed [1]. We didn't improve
since 2005/2006 [2]. The two parties are working hard against each other [3].
55 Manifests are signed by revoked keys [4].

[1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
[2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
[3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
[4] 
http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt

Re: [gentoo-dev] Individual developer signing

[Thilo Bangert]

 BTW: About a third of the Manifests are signed [1]. 

if we really want to get there, maybe repoman should give a _small_ 
warning, starting now.

i dont sign my commits and have seen how my commits removed signatures of 
others. i am not proud of it - but given that these are apparently never 
checked in any way, then no harm is done... or what?

Thilo


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-dev] Individual developer signing

[Robin H. Johnson]

On Thu, Dec 03, 2009 at 11:32:42AM +0100, Torsten Veller wrote:
 * Robin H. Johnson robb...@gentoo.org:
  The GLEP on Individual developer signing has not made it into a Draft
  yet.
  
  But you can view the very brief version here:
  http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup
 
 [...]
 
   2.  Every developer signs everything 100% of the time (make it a QA
   check).
  +1 on this.
 
 In the GLEPs i missed the point where the signatures of Manifests are 
 verified.
 Only the MetaManifest gets verified.
GLEP58:
under Procedure for verifying an item in the MetaManifest
4.2: M2-verifying the contents of the Manifest.

Where M2-verify is the verb describing the verification of a Manifest.
It _may_ include signature validation.

 So what's the advantage of individually signed Manifests?
Basically making sure that your SSH keys weren't stolen.
They explicitly protect the commit from the developer to infrastructure.

MetaManifest protects the integrity of the contents from infrastructure
out to the user. It does NOT validate the functionality of the tree or
any prior injection.

 The only thing we can check: Is the key used for signing listed in ldap
 (and thus in the keyring of automated Gentoo keys)? Are the keys in ldap
 really mine?
 Do I miss anything?
Later on I'd like to REJECT unsigned commits.

 BTW: About a third of the Manifests are signed [1]. We didn't improve
 since 2005/2006 [2]. The two parties are working hard against each other [3].
 55 Manifests are signed by revoked keys [4].
 [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
 [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
 [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
 [4] 
 http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt
Nice graphs. Can you show them over a larger timespan?

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee  Infrastructure Lead
E-Mail : robb...@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85