Ciaran McCreesh wrote:
On Thu, 03 Apr 2008 13:17:51 +0100
Mike Auty <[EMAIL PROTECTED]> wrote:
Ciaran McCreesh wrote:
| Signing offers no protection against a malicious developer.
I had envisaged a system whereby when the tree was synced, as was some
kind of master signed list of all acceptable dev-keys. Every package
would also be signed, and would only be installed when signed. As
soon as a dev becomes a liability their key is removed from the
list/revoked. ~ On next sync any packages or package upgrades signed
after the time of revocation would not be installed. There would be
a window of vulnerability, but no bigger than with revoking a dev's
access to the tree. Do you think this would offer suitable
protection for users from a malicious dev or not?
Nope. In fact, using such a system, there are ways of getting in code
that doesn't get triggered until someone's key gets invalidated.
By this reasoning you shouldn't use passwords ...
The idea is to limit the attack vectors and make simple attacks much
harder. A sophisticated "hacker" could just rent a busload of angry
serbians, kidnap 12 developers and force them to do some subtle changes
in many places. But is that likely to happen?
And if you are worrying about malicious developers, you need to worry
about malicious infra people too. An infra member throwing his toys out
of the pram can do much more lasting damage than someone who can get
some global scope nastiness into an ebuild for an hour or two...
That has nothing to do with the discussion ... and I don't see how infra
could manipulate the signatures in a useful way apart from adding keys
or removing some from the official keyring ...
This they could do at the moment by manipulating the cvs to rsync copy
process, but I'm not aware of something like that happening. So you
might want to have a marginal trust in people and not accuse them of
things they might do in the future ...
--
gentoo-dev@lists.gentoo.org mailing list
