On Mon, 30 Mar 2015 05:37:01 +0000 (UTC) Duncan wrote: > Andrew Savchenko posted on Sun, 29 Mar 2015 21:04:52 +0300 as excerpted: > > > On Sun, 29 Mar 2015 19:52:38 +0200 Sebastian Pipping wrote: > >> On 29.03.2015 19:39, Andrew Savchenko wrote: > >> > On Sun, 29 Mar 2015 18:41:33 +0200 Sebastian Pipping wrote: > >> >> So I would like to propose that > >> >> > >> >> * support for Git access through https:// is activated, > >> >> > >> >> * Git access through http:// and git:// is deactivated, and > >> > > >> > Some people have https blocked. http:// and git:// must be available > >> > read-only. > >> > >> They would not do online banking over http, right? Why would they run > >> code with root privileges from http? > > > > Gentoo tree access is not even near on the same security scale as online > > banking. > > The point is, if the gentoo tree is compromised and you install from it, > everything you run including that online banking is now effectively > compromised, so it most certainly *IS* at the same security scale as that > online banking. Weakest link in the chain and all that...
The Gentoo tree is not verified anyway: mirrors distribute it via http, rsync and ftp. And using https for that will create a tremendous stress on mirror's CPUs, so this is a bad approach. Not to mention that https itself is very hapless protocol with tons of vulnerabilities (all SSL versions are affected and most TLS implementations). A proper solution will be to use cryptographic verification of downloaded files. Right now we have signed manifests and manifests can be used to verify all other data (ebuilds, distfiles, patches and so on). This is much more reliable solution, since it allows to verify data integrity even for compromised data channels or any infrastructure part not related to keys distribution or signing. What we really need is a tool to do such verification. This is work in progress now afaik. Best regards, Andrew Savchenko
pgp2NewmxTXpU.pgp
Description: PGP signature
