Hi, On Fri, 14 Aug 2015 10:54:57 -0400 Rich Freeman wrote: > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand <k...@gentoo.org> > wrote: > > They will be OpenPGP signed by a releng key during thickening and > > portage will auto-verify it using gkeys once things are in place. As > > such checksum for ebuilds and other files certainly needs to be part > > of the manifest, otherwise it can open up for malicious alterations of > > these files. > > > > As much as I'd love to see it all folded into git, the reality is also > that git signatures are only bound to files by a series of sha1 > hashes, and sha1 is not a strong hash function. Git really ought to > move to sha256 at some point, preferably in a manner that makes it > expandable in the future to other hash functions. But, this isn't a > high-priority for upstream. > > The same limitation is true of any git gpg signature, including tag > signatures. It is all held together by sha1. The manifest system is > much stronger. OK, if manifests are that important, why not generate full manifest during repoman commit? If we do not tamper with $Id$, the only file outside of this manifest will be ChangeLog generated during rsync propagation. Then we have following options: - do not sing ChangeLog: even if it will be tampered, little harm can be done, since it doesn't affect live system or build process; - sign ChangeLog with releng key; - sign developer-signed manifest + ChangeLog with releng key. Thus we'll have double signature for most important files.
Best regards, Andrew Savchenko
pgpOetqsNBozT.pgp
Description: PGP signature
