Re: [gentoo-dev] Commit signing for metadata/* repos

2017-01-08 Thread Luis Ressel 
On Sun, 8 Jan 2017 10:40:15 -0500
Mike Gilbert  wrote:

> The content of gentoo-news.git should already be covered by the
> detached signatures that are required to be present for each file.
> What is the benefit to requiring the commits themselves be signed?

Oh, I didn't know about those file signatures. But I think signing the
commits would make sense nonetheless, as this offers some advantages:

* Commit signatures are easy to verify: Everyone who is interested in
  verifying their /usr/portage image will already have an infrastructure
  in place to verify commit signatures, because that's how things are
  done for repo/gentoo.git.

* The detached news signatures are nontrivial to verify (in an
  automated fashion): Just looping over all news files in the repo and
  verifying their signatures is not an option, because some of the
  signatures on older news items can't be verified anymore (expired
  keys, signatures by retired devs, etc.). Hence, one will have to
  write some code to verify just the new news items introduced after a
  git pull.

* Commit signatures have slightly better security guarantees: If we
  only verify the detached signatures, attackers can still mess around
  with the commit graph; in particular, an MITM attacker could silently
  drop some of the news during a pull. With commit signatures, the only
  way for the attacker to achieve this is to pretend there aren't any
  new commits at all (something the user would probably notice after a
  while).

At the same time, I don't see any disadvantages to requiring commit
signatures; does anyone else?

Regards,
Luis Ressel

Re: [gentoo-dev] Commit signing for metadata/* repos

2017-01-08 Thread Mike Gilbert 
On Sat, Jan 7, 2017 at 4:24 PM, Luis Ressel  wrote:
> Hello,
>
> there are some additional git repositories which need to be added to
> metadata/ subdirectories to make the 'gentoo' git repository usable
> for /usr/portage. Specifically, those are dtd, glsa, news and
> xml-schema.
>
> It'd be great if developers could sign their commits in these repos,
> too. (I don't really care about dtd and xml-schema, but for the other
> two, I think this would make much sense.)
>
> Currently, it looks like commits to xml-schema aren't signed at all,
> all commits to glsa are signed, and commits to the other two repos are
> partly signed.

The content of gentoo-news.git should already be covered by the
detached signatures that are required to be present for each file.
What is the benefit to requiring the commits themselves be signed?

[gentoo-dev] Commit signing for metadata/* repos

2017-01-07 Thread Luis Ressel 
Hello,

there are some additional git repositories which need to be added to
metadata/ subdirectories to make the 'gentoo' git repository usable
for /usr/portage. Specifically, those are dtd, glsa, news and
xml-schema.

It'd be great if developers could sign their commits in these repos,
too. (I don't really care about dtd and xml-schema, but for the other
two, I think this would make much sense.)

Currently, it looks like commits to xml-schema aren't signed at all,
all commits to glsa are signed, and commits to the other two repos are
partly signed.

Regards,
Luis Ressel