On Mon, Jul 2, 2018 at 12:43 PM Jason A. Donenfeld <zx...@gentoo.org> wrote: > > There's a lot of text there, and rather than trying to parse all of > that, I'll just reiterate a primary important design goal that might > be overlooked: > > - End to end signatures from the developer to the user. > > This means that no matter the operation infra does before shipping it > out to the user, the user still needs to verify that the packages came > from the developers. In other words, whatever complicated mechanism > you propose, it needs to not rely on trusting infra to hold onto any > secrets. For example, I don't know whether this is attainable with the > the git signatures alone, without requiring users to sync the entire > git repository, which might not be acceptable for some. >
You might want to read what I wrote then, because I proposed options for using the git signatures over rsync, as well as for with git syncing (which IMO is an under-rated option, as there is no need to preserve all the past commits in the repository once it is known-good, which I also mention). Everything I wrote is possible with dev signatures only, and would work fine over a completely compromised infrastructure, or non-Gentoo infrastructure. Granted, if you want to do git sigs over rsync you do need an untrusted program to do the extractions and if that fails it would be a DOS. If you think that one of my alternatives fails to meet your goals I'd be interested in hearing about it. -- Rich
