Hiram Chirino wrote:
Agreed. I never argued against this. But I fail to see the point?
Are you saying initial trust is hard to secure? I totally agree on
that point. You have any solutions?
Yes. You sign your package locally, never on the remote system. The ASF
hardware must never have your gpg signing key. And nobody trusts that
package without observing a valid gpg signature, especially not software
that is "blindly" installed (e.g. maven, other automated installers).
The security hole we perceive is that ASF packages are blindly created
using maven, relying on the fact that no machine that had touched that
dependent artifact or transmitting it had been compromised.
If the key is compromised, it's your job to revoke it. But there's a long
discussion about revocation trust, let's not go there.
If it were cracked again, MD5 signatures would not be trusted, and all of
those resources would be wiped if there were no gpg keys available to
validate the packages.
Are you saying even the source code/svn would be wiped? If that's the
case we would have a real tragedy on our hands. I hope we kept good
backups.
Yes; and we have backups. We even have a mirror to retrace precisely what
commits happened after the breach, and determine if we want to reapply them
(presuming for a moment that the mirror could not be compromised).
It's configurable.. We can default to whatever algorithm you think is
the most secure for the foreseeable future.
Since the hash is not security, it's not terribly important, eh?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
