On Thu, 03 Apr 2008 13:17:51 +0100 Mike Auty <[EMAIL PROTECTED]> wrote: > Ciaran McCreesh wrote: > | Signing offers no protection against a malicious developer. > > I had envisaged a system whereby when the tree was synced, as was some > kind of master signed list of all acceptable dev-keys. Every package > would also be signed, and would only be installed when signed. As > soon as a dev becomes a liability their key is removed from the > list/revoked. ~ On next sync any packages or package upgrades signed > after the time of revocation would not be installed. There would be > a window of vulnerability, but no bigger than with revoking a dev's > access to the tree. Do you think this would offer suitable > protection for users from a malicious dev or not?
Nope. In fact, using such a system, there are ways of getting in code that doesn't get triggered until someone's key gets invalidated. And if you are worrying about malicious developers, you need to worry about malicious infra people too. An infra member throwing his toys out of the pram can do much more lasting damage than someone who can get some global scope nastiness into an ebuild for an hour or two... -- Ciaran McCreesh
signature.asc
Description: PGP signature
