On Saturday 20 May 2006 22:47, Robin H. Johnson wrote:
> The basic form of it, is a vulnerability towards a class of attacks that
> require a large supply of signed/encrypted material.
> For a primer on various modes of using block ciphers, see
> Wikipedia: http://tinyurl.com/bbcmf
>
> It's conceiv
On Sat, May 20, 2006 at 03:21:13PM +0200, Jan Kundr?t wrote:
> I don't know much about cryptography, but could you please elaborate on
> why is using one subkey for all the stuff considered a Bad Thing?
The basic form of it, is a vulnerability towards a class of attacks that
require a large supply
Robin H. Johnson wrote:
> Additionally, if the developer uses the singular primary key for a lot of
> stuff, it is more vulnerable to attack.
>
>
> Instead, the developer should create a subkey that is used for signing Gentoo
> work only. They should not sign anything else with this, including th
On Sat, 2006-05-20 at 10:13 +0200, Thierry Carrez wrote:
> Patrick Lauer wrote:
>
> > Signing strategies
> > ==
> >
> > Once there is an agreement on what files to sign with what kind of keys
> > there remains the question how to sign it. There are at least three
> > strategies:
>
On Fri, 2006-05-19 at 22:03 -0400, Ned Ludd wrote:
> If there is anything you or genone need to make signing happening you
> have to the full support of the
> council
That should not be difficult if the proposal is discussed and accepted
by all other groups
> infra
it should be non-invasive and
Patrick Lauer wrote:
> Signing strategies
> ==
>
> Once there is an agreement on what files to sign with what kind of keys
> there remains the question how to sign it. There are at least three
> strategies:
> [...]
I prefer a semi-secure solution appearing soon rather than waitin
Chris Bainbridge wrote:
> ...
> Do we really have many users on dialup that it would
> inconvenience? Surely the massive size of the distfiles you have to
> download makes the impact of rsyncing the portage tree negligible
> compared to actually fetching everything you want to install?
>
It is har
If there is anything you or genone need to make signing happening you
have to the full support of the council/infra/hardened/security.
On Thu, 2006-05-18 at 21:26 -0700, Robin H. Johnson wrote:
> This email is a discussion on why we need to care about more than the simple
> key parameters, and wh
Disclaimer: I'll only targeting technical aspects here, I won't go into
any security analysis.
On Thu, 18 May 2006 23:45:17 +0200
Patrick Lauer <[EMAIL PROTECTED]> wrote:
> 3) Manifest / Manifest2
>
> This is an implementation of a checksum / signature scheme. It is
> described in GLEP 44:
>
>
On Fri, 19 May 2006 17:10:53 +0100
"Chris Bainbridge" <[EMAIL PROTECTED]> wrote:
> Well, that would be incompatible with a single signature. I don't
> really see that point, but then I've been spoiled with broadband for
> years. Do we really have many users on dialup that it would
> inconvenience?
On Fri, May 19, 2006 at 06:50:34PM +0200, Marius Mauch wrote:
> On Fri, 19 May 2006 15:13:15 +0100
> "Chris Bainbridge" <[EMAIL PROTECTED]> wrote:
>
> > find /usr/portage -path '/usr/portage/metadata' -prune -o -path
> > '/usr/portage/distfiles' -prune -o -path '/usr/portage/packages'
> > -prune -
On Fri, 19 May 2006 15:13:15 +0100
"Chris Bainbridge" <[EMAIL PROTECTED]> wrote:
> find /usr/portage -path '/usr/portage/metadata' -prune -o -path
> '/usr/portage/distfiles' -prune -o -path '/usr/portage/packages'
> -prune -o -type f -exec cat {} > /tmp/blah \;
> time gpg --detach-sign -a /tmp/bla
On 19/05/06, John Myers <[EMAIL PROTECTED]> wrote:
On Friday 19 May 2006 08:17, Chris Bainbridge wrote:
>
> We do? What option to emerge enables this behaviour?
RSYNC_EXCLUDES is the name, IIRC...
Well, that would be incompatible with a single signature. I don't
really see that point, but then
On 19/05/06, Patrick Lauer <[EMAIL PROTECTED]> wrote:
On Fri, 2006-05-19 at 15:13 +0100, Chris Bainbridge wrote:
> There are now several hundred gentoo developers. It is more likely
> that one of them has a security lapse than cvs.gentoo.org.
One is a "local" bug, the other one "global".
I'd pref
On Fri, 2006-05-19 at 16:17 +0100, Chris Bainbridge wrote:
> On 19/05/06, Andrew Gaffney <[EMAIL PROTECTED]> wrote:
> > Chris Bainbridge wrote:
> > > It is a single signature across the entire portage tree. It means that
> > > after rsync emerge can check the signature against the retrieved tree
>
On Fri, May 19, 2006 at 04:17:38PM +0100, Chris Bainbridge wrote:
> On 19/05/06, Andrew Gaffney <[EMAIL PROTECTED]> wrote:
> >Chris Bainbridge wrote:
> >> It is a single signature across the entire portage tree. It means that
> >> after rsync emerge can check the signature against the retrieved tre
On Friday 19 May 2006 08:17, Chris Bainbridge wrote:
> On 19/05/06, Andrew Gaffney <[EMAIL PROTECTED]> wrote:
> > Chris Bainbridge wrote:
> > > It is a single signature across the entire portage tree. It means that
> > > after rsync emerge can check the signature against the retrieved tree
> > > to
On Fri, 2006-05-19 at 15:13 +0100, Chris Bainbridge wrote:
> There are now several hundred gentoo developers. It is more likely
> that one of them has a security lapse than cvs.gentoo.org.
One is a "local" bug, the other one "global".
I'd prefer a system that is resilient against two devs going cra
On 19/05/06, Andrew Gaffney <[EMAIL PROTECTED]> wrote:
Chris Bainbridge wrote:
> It is a single signature across the entire portage tree. It means that
> after rsync emerge can check the signature against the retrieved tree
> to validate the whole tree (or overlay).
This idea has been brought up
Chris Bainbridge wrote:
It is a single signature across the entire portage tree. It means that
after rsync emerge can check the signature against the retrieved tree
to validate the whole tree (or overlay).
This idea has been brought up before and shot down. Signing the whole tree does
not work
On 19/05/06, Patrick Lauer <[EMAIL PROTECTED]> wrote:
On Fri, 2006-05-19 at 10:46 +0100, Chris Bainbridge wrote:
> We already trust the master cvs server admins (and they could just
> replace the whole tree anyway), so what benefit does a distributed
> signing system like gpg actually give to the
On Fri, 2006-05-19 at 10:46 +0100, Chris Bainbridge wrote:
> The only attack most people really care about is a compromised rsync
> server. There is no practical way to protect against the other attacks
> - and at the end of the day, if a developer gets compromised it
> doesn't matter whether it's
The only attack most people really care about is a compromised rsync server. There is no practical way to protect against the other attacks - and at the end of the day, if a developer gets compromised it doesn't matter whether it's a gpg key or ssh key, the effect is the same. The discussion about
This email is a discussion on why we need to care about more than the simple
key parameters, and why - this includes things like changing the validity of an
existing key. We also need to consider: location of key (primary key vs.
subkey), expiry policies (expiries are only one element of key validi
On Fri, 19 May 2006 01:53:29 +0200 "Kevin F. Quinn"
<[EMAIL PROTECTED]> wrote:
| obviously header.txt and skel.* aren't important. scripts isn't too
| important either, although a manifest-style file in there wouldn't be
| difficult. licenses and metadata don't have any security impact so
| there
On Thu, 18 May 2006 23:45:17 +0200
Patrick Lauer <[EMAIL PROTECTED]> wrote:
> Note: a possible defense against rogue devs would be multi-signing,
I don't think it's worth trying to defend against rogue devs. We have
to have some level of trust amongst devs; anyone abusing that trust
will be ejec
Hello all,
I flood you again with a long email. Apologies to all that don't
want to read so much, but it is a problem of rather high importance that
has not really been fixed, and the first discussions happened in 2003 as
far as I can tell. Time to FIX IT!!!
The problem, in short, is how to h
27 matches
Mail list logo
