On Fri, Mar 25, 2011 at 7:28 PM, Mike Frysinger <vap...@gentoo.org> wrote: > On Fri, Mar 25, 2011 at 2:57 PM, Dane Smith wrote: >> On 03/25/2011 02:46 PM, Mike Frysinger wrote: >>> On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote: >>>> Of course now we can add additional requirements: >>>> >>>> * The key must have an userid that refers to an official Gentoo e-mail >>>> address. E.g. dilfri...@gentoo.org >>> >>> no. there's no reason for this requirement, and it prevents proxy >>> maintenance long term. e-mail addresses do not verify identity, >>> verifying identify verifies identity. this is the point of the web of >>> trust. >> >> We are somewhat limited in the amount that we can verify "identity." >> Sure you can get a decent web of trust from signing the keys of people >> you've met at conferences, however, there will be people outside of that >> web. > > creating one "tree key" which signs all developer keys listed in LDAP > is trivial to do > >> What we need to verify is rather that the person who made the >> commit is someone who is authorized to make the commit and that it was >> in no way tampered with. > > you're validating only that the machine with access to the private > keys pushed up the commit. hopefully the only person with said > machine is the one we recruited. > -mike > >
Coming back around to the earlier discussion of Alice who has her key signed by robbat2 (because he loves keysigning parties) and then Alice breaks into cvs.gentoo.org and commits evil code into the tree. If we cannot stop this attack because we are relying on a chain of trust (and Alice is in the chain) can we at least detect the attack? As it appears to me; I am much more likely to somehow manipulate the chain in trust in an incorrect way (such as at a keysigning hibjib) as opposed to adding some random strangers key to a master list on dev.gentoo.org or in LDAP. The former action is essentially an innocent act with non-obvious (to me) repercussions and the latter is an act with really only one intent. I don't care about GPG at all. I hate it. I don't want to know how it works and I don't want developers who are in the same boat as me to fuck it up because they don't know what they are doing. I don't have commit-bit to gentoo-x86 so I don't have a big stake in this ;)
