On Mon, Jul 2, 2018 at 10:36 AM, Jason A. Donenfeld <zx...@gentoo.org> wrote:
> Hey guys,
>
> While our infrastructure team has some nice technical competence, the
> recent disaster and ongoing embarrassing aftermath has made ever more
> urgent the need to have end-to-end signatures between developers and
> users. While the infrastructure team seems fairly impressive at
> deploying services and keeping the house running smoothly, I'd rather
> we don't place additional burden on them to do everything they're
> doing securely. Specifically, I'd like to ensure that 100% of Gentoo's
> infrastructure can be hacked, yet not backdoor a single witting user
> of the portage tree. Right now, as it stands, rsync distributes
> signatures to users that are derived from some
> infrastructure-controlled keys, not from the developers themselves.
>
> Proposal:
> - Sign every file in the portage tree so that it has a corresponding
> .asc. Repoman will need support for this.
Signed hashes should be faster, no? Each directory with files could
have a manifest.
> - Ensure the naming scheme of portage files is sufficiently strict, so
> that renaming or re-parenting signed files doesn't result in RCE. [*]
> - Distribute said .asc files with rsync per usual.
Rsync would work with this setup, but there is also webrsync-gpg in
Portage right now. This covers the vast majority of usecases right
now. There is often no need to sync more than once per day.
Speaking of, the keys for that have lapsed. Will they be updated?
Cheers,
R0b0t1
