On 170302-03:42-0500, taii...@gmx.com wrote: > On 02/28/2017 12:05 PM, Miroslav Rovis wrote: > > > On 170227-21:59-0500, Rich Freeman wrote: > >> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis > >> <miro.ro...@croatiafidelis.hr> wrote: ... > > And finally Andrew Shavchenko pointed me to gkeys ! > > > > Here's the answer to my query (ah, just the beginning of, my > > implementation of it will take time): > > > > emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen > > > > # equery f gkeys-gen > > ... > > /usr/share/doc/gkeys-gen-0.2/README.md.bz2 > > ... > > > > ( > > NOTE: The: > > /usr/share/doc/gkeys-0.2/README.md.bz2 > > of the gkeys package is identical. > > ) > > > > # bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 > > > > Gentoo Keys > > ----------- > > > > ### About > > > > Gentoo Keys is a Python based project that aims to manage the GPG keys > > used > > for validation on users and Gentoo's infrastracutre servers. Gentoo Keys > > will be able > > to verify GPG keys used for Gentoo's release media, such as installation > > CD's, > > Live DVD's, packages and other GPG signed documents. It will also be used > > by > > Gentoo infrastructure to achieve GPG signed git commits in the > > forthcoming git > > migration of the main CVS tree. > > > > ### License > > > > Gentoo Keys is under GPL-2 License > > # > > > > But do I read this correctly?: > > > > ...Gentoo Keys will be able > > to verify GPG keys used for Gentoo's release media, such as installation > > CD's, > > Live DVD's, packages and other GPG signed documents. > > > > Again, about this (syntactical) object (in the sentence), with other > > objects removed: > > > > ...Gentoo Keys will be able > > to verify GPG keys used for ... > > ... packages... > > > > Does that mean what I read? That with gkeys any user will be able to get > > packages via git, and somehow automatically gpg -verify the signature of > > each package that (s)he got when (s)he, say: > > > > emerge -tuDN world > > > > ? > > > > Does that mean that? > > ... > It is possible to have a reasonably secure system where the hard drive > firmware (or any other devices) can't fuck around with the stuff on > disk, although I highly doubt that the gentoo infrastructure (and > kernel.org, and all the source repos for all the other software) does this Rogue elements everywhere (even the most known Person in the world, throughout the history (which counts from His birth), had His traitors), but you are correct, it is still little likely.
I'll keep you thought below for reference, when I some day, find more time to learn about these things: > One way is to use a blob-free coreboot IOMMU supporting board and > bootstrap the crypto/kernel off of the board firmware EEPROM chip to > load the initial kernel thus no plaintext touches the disk and thus > nothing can mess with it. > > The IOMMU (theoretically) protects the CPU and memory from rogue > devices, such as the hard drive. > > In terms of ethics IBM *for now* is a way better company than Intel/AMD, > their POWER servers are owner controlled as there isn't any boot > guard/secure boot/management engine/platform "security" processor (amd's > ME) to stop you from re-writing the firmware as you please. They also > have an getting-there-almost-reasonable open source effort (OpenPOWER) > > You can buy a TYAN OpenPOWER8 "Palmetto" (100% FOSS out of the box, > although not that powerful) or an IBM POWER8 S822 "Firestone" (very > powerful) which needs only a small amount of final work to be open sourced. > > IBM's POWER8 has a supervisor processor, although it is owner controlled > (the key difference) unlike ME/PSP. > > It is a shame that TALOS (POWER workstation board) never went anywhere, > it seems the linux community won't care about real freedom - right up > until microsoft finally locks us out for good and it is too late to do > anything about it. > > https://www.coreboot.org/Board_freedom_levels Yes, I looked up that page, and searched a little about Power8 pocessors... I wish I was aware how important Board freedom is back four and a half years ago. Not so ugly what I have, but neither is open hardware ( Asrock Extreme4, a few of them (so I can clone the systems): Use old amd64 gentoo image on new amd64 hardware, possible? https://forums.gentoo.org/viewtopic-t-940916.html#7172822 I can't believe they're still selling them! If I'm not mistaken: http://www.asrock.com/mb/AMD/970%20Extreme4/ I have to say, they are really not bad, but are not openhardware either. ) I can't follow all the info that you gave, it's too advanced for me (at least at this time). And I couldn't reply sooner... I had to finish, finally successfully, some steep learning of mine about how to use virtualization. VoilĂ : Devuan's precursor's, as Tails, image in Qemu (10) https://www.croatiafidelis.hr/foss/cap/cap-161015-qemu-devuan/qemu-devuan-10.php Finally using Tails from my grsecurity-hardened Gentoo, in a VirtualMachine! Finally I can do it! Took me months! ( [[ might be of interest to grsecurity-hardeners ]] Ah, what you can't find there (simply because I forgot to give the link to is), is this: Libvirt virtualization policies https://forums.grsecurity.net/viewtopic.php?f=5&t=4675 ) The most important/urgent among really great messages that I got in this thread, is Shavchenko's message about the gkeys ! And I'm still wondering: Does anybody have a way to, as I wrote, be pulling packages via git, when doing building/installing with emerge, and be verifying each package as (s)he is pulling them automatically, with gkeys ? That _must_ be waiting for us in the future of Gentoo ;-) gkeys <------ !!! That looks like the solution that I have dreamed about! Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
