On Mon, 2 Jul 2018 11:01:58 -0500 R0b0t1 <r03...@gmail.com> wrote: > On Mon, Jul 2, 2018 at 10:36 AM, Jason A. Donenfeld > <zx...@gentoo.org> wrote: > > Hey guys, > > > > While our infrastructure team has some nice technical competence, > > the recent disaster and ongoing embarrassing aftermath has made > > ever more urgent the need to have end-to-end signatures between > > developers and users. While the infrastructure team seems fairly > > impressive at deploying services and keeping the house running > > smoothly, I'd rather we don't place additional burden on them to do > > everything they're doing securely. Specifically, I'd like to ensure > > that 100% of Gentoo's infrastructure can be hacked, yet not > > backdoor a single witting user of the portage tree. Right now, as > > it stands, rsync distributes signatures to users that are derived > > from some infrastructure-controlled keys, not from the developers > > themselves. > > > > Proposal: > > - Sign every file in the portage tree so that it has a corresponding > > .asc. Repoman will need support for this. > > Signed hashes should be faster, no? Each directory with files could > have a manifest. > > > - Ensure the naming scheme of portage files is sufficiently strict, > > so that renaming or re-parenting signed files doesn't result in > > RCE. [*] > > - Distribute said .asc files with rsync per usual. > > Rsync would work with this setup, but there is also webrsync-gpg in > Portage right now. This covers the vast majority of usecases right > now. There is often no need to sync more than once per day. > > Speaking of, the keys for that have lapsed. Will they be updated? > > Cheers, > R0b0t1 >
app-crypt/gentoo-keys has been updated yesterday. with renewed interest in gpg signatures, I will endeavor to keep it updated until is fully automated. -- Brian Dolbec <dolsen>
