Mike Auty wrote:
Ciaran McCreesh wrote:
|
| Signing offers no protection against a malicious developer.
|
I had envisaged a system whereby when the tree was synced, as was some
kind of master signed list of all acceptable dev-keys. Every package
would also be signed, and would only be installed when signed. As soon
as a dev becomes a liability their key is removed from the list/revoked.
~ On next sync any packages or package upgrades signed after the time of
revocation would not be installed. There would be a window of
vulnerability, but no bigger than with revoking a dev's access to the
tree. Do you think this would offer suitable protection for users from
a malicious dev or not?
There has been some previous work which has never been finalized, for
all interested parties:
http://viewcvs.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/
Getting this cleaned up and ready for discussion would be quite valuable.
I understand there are difficulties with eclasses, etc, which is why the
current implementation is still not widely used or mandated, but I'm
more interested in the feasibility of the idea.
It can be done if people can agree to a policy and allow the
programmatic and infrastructural changes to happen.
Have fun,
Patrick
--
gentoo-dev@lists.gentoo.org mailing list
