Dnia 2015-08-15, o godz. 11:51:01 Andrew Savchenko <birc...@gentoo.org> napisał(a):
> On Sat, 15 Aug 2015 09:53:37 +0200 Michał Górny wrote: > > Dnia 2015-08-15, o godz. 10:50:02 > > Andrew Savchenko <birc...@gentoo.org> napisał(a): > > > > > Hi, > > > > > > On Fri, 14 Aug 2015 10:54:57 -0400 Rich Freeman wrote: > > > > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand > > > > <k...@gentoo.org> wrote: > > > > > They will be OpenPGP signed by a releng key during thickening and > > > > > portage will auto-verify it using gkeys once things are in place. As > > > > > such checksum for ebuilds and other files certainly needs to be part > > > > > of the manifest, otherwise it can open up for malicious alterations of > > > > > these files. > > > > > > > > > > > > > As much as I'd love to see it all folded into git, the reality is also > > > > that git signatures are only bound to files by a series of sha1 > > > > hashes, and sha1 is not a strong hash function. Git really ought to > > > > move to sha256 at some point, preferably in a manner that makes it > > > > expandable in the future to other hash functions. But, this isn't a > > > > high-priority for upstream. > > > > > > > > The same limitation is true of any git gpg signature, including tag > > > > signatures. It is all held together by sha1. The manifest system is > > > > much stronger. > > > > > > OK, if manifests are that important, why not generate full manifest > > > during repoman commit? If we do not tamper with $Id$, the only file > > > outside of this manifest will be ChangeLog generated during rsync > > > propagation. Then we have following options: > > > - do not sing ChangeLog: even if it will be tampered, little harm > > > can be done, since it doesn't affect live system or build process; > > > - sign ChangeLog with releng key; > > > - sign developer-signed manifest + ChangeLog with releng key. Thus > > > we'll have double signature for most important files. > > > > How about we switch back to CVS if we're going to kill git anyway? It'd > > at least save our time wasted by these pointless discussions. > > I don't understand your point. Please explain. > > I see nobody here talking about killing git. I see people concerned > that git is not cryptographically secure enough, thus looking for > gpg-signed manifests or other solutions. I see you talking about introducing whole new bucket of merge conflicts. -- Best regards, Michał Górny <http://dev.gentoo.org/~mgorny/>
pgpzPIFVrnojf.pgp
Description: OpenPGP digital signature
