On 03/06/2015 09:50 AM, Mark Kubacki wrote:
>
> And by default you cannot compare the result with any authoritative source.
2015-03-08 0:26 GMT+01:00 Zac Medico <zmed...@gentoo.org>:
>
> Ideally, we can rely on security mechanisms built into git [1], possibly
> involving signed commits.
Some brownfield thinking here, without GIT and not replacing GIT:
1. Find and compile all directories two levels deep in a file
"category.idx" and sign it.
2. Sign every Manifest.
3. Distribute that as usual.
Will need N+1 checks (N × Manifest + 1 × category present/missing) and
doesn't break anything already deployed.
Contributors (individuals, teams) need to provide a public key before
submitting, and the "mirror source" (authority) just checks against
the author's signature and signs (1) and (2) with its own key
("official portage tree root key X"). That way, in the end, it's
enough to announce only one signing key for every tree.
(It's easier with binhosts, because all you need to sign is "Packages{,gz}".)
There are many interoperable implementations of OpenBSD's "signify"
[2] (sha256 + ed25519). Implementations are simple and small enough
[3] to be included into Portage to not require GPG.
--
Mark
[2]
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1?query=signify&arch=i386
[3] http://ed25519.cr.yp.to/python/ed25519.py — needs reading the key
and hashing the file to be checked
