On Thu, 03 Apr 2008 14:29:10 +0200 Patrick Lauer <[EMAIL PROTECTED]> wrote: > > Nope. In fact, using such a system, there are ways of getting in > > code that doesn't get triggered until someone's key gets > > invalidated. > By this reasoning you shouldn't use passwords ... > > The idea is to limit the attack vectors and make simple attacks much > harder. A sophisticated "hacker" could just rent a busload of angry > serbians, kidnap 12 developers and force them to do some subtle > changes in many places. But is that likely to happen?
No no. The point is, there's no effective technological way of preventing malicious developers from using the tree to screw over end users. Signing isn't designed to and can't prevent that class of attack (and nor can it protect against compromised end user systems). What it *can* do is reduce the amount of damage done by a compromised rsync server. > > And if you are worrying about malicious developers, you need to > > worry about malicious infra people too. An infra member throwing > > his toys out of the pram can do much more lasting damage than > > someone who can get some global scope nastiness into an ebuild for > > an hour or two... > > That has nothing to do with the discussion ... and I don't see how > infra could manipulate the signatures in a useful way apart from > adding keys or removing some from the official keyring ... > This they could do at the moment by manipulating the cvs to rsync > copy process, but I'm not aware of something like that happening. So > you might want to have a marginal trust in people and not accuse them > of things they might do in the future ... That's exactly the thing under discussion -- the design of the system necessitates trust in both the main repository and the end user system, and signing does absolutely nothing to help there. No-one is suggesting that anyone from infra is going to do anything to utterly screw over Gentoo for petty personal reasons. -- Ciaran McCreesh
signature.asc
Description: PGP signature