On 20/05/06, Peter <[EMAIL PROTECTED]> wrote:
PMFJI, but as a user, not a security expert, I had a few thoughts that I'd like to throw in. Thanks to Patrick, he helped me to drill down some of the ideas and I present them for consideration. It's just a framework, so I will be brief
Thanks for your input. From a security point of view your scheme is fine, but as pointed out by others you won't be able to selectively rsync parts of the tree. That will require a signature for each manifest, and a manifest for every directory. The problem I see is that the manifest is going to have to include a hash for each subdirectory - otherwise you open the possibility of someone replacing a directory with one from the past that contains some known insecurity, or corrupting the tree by swapping random directories, and yet the signatures remain valid. Of course, that hash changes if you allow people to rsync_exclude directories, and hence the signature changes. So you can either accept that if you selectively rsync then you won't be able to verify the signed tree, or accept that there is a known security problem with having no signed link between parent and child directories, or come up with a different scheme. Obviously the manifests also have to be checked to make sure they're valid - this is currently done for package directories at emerge time, it would need to be extended to all other directories. I'd prefer the checks done at sync time since that's a one time cost and you don't have to figure out exactly what files will be used by each emerge operation. -- gentoo-dev@gentoo.org mailing list
