FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 12-03-2009, 09:32 AM
Torsten Veller
 
Default Individual developer signing

* "Robin H. Johnson" <robbat2@gentoo.org>:
> The GLEP on Individual developer signing has not made it into a Draft
> yet.
>
> But you can view the very brief version here:
> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup

[...]

> > 2. Every developer signs everything 100% of the time (make it a QA
> > check).
> +1 on this.

In the GLEPs i missed the point where the signatures of Manifests are verified.
Only the MetaManifest gets verified.

So what's the advantage of individually signed Manifests?

The only thing we can check: Is the key used for signing listed in ldap
(and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap
really mine?

Do I miss anything?


BTW: About a third of the Manifests are signed [1]. We didn't improve
since 2005/2006 [2]. The two parties are working hard against each other [3].
55 Manifests are signed by revoked keys [4].

[1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
[2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
[3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
[4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt
 
Old 12-03-2009, 11:51 AM
Thilo Bangert
 
Default Individual developer signing

> BTW: About a third of the Manifests are signed [1].

if we really want to get there, maybe repoman should give a _small_
warning, starting now.

i dont sign my commits and have seen how my commits removed signatures of
others. i am not proud of it - but given that these are apparently never
checked in any way, then no harm is done... or what?

Thilo
 
Old 12-03-2009, 07:35 PM
"Robin H. Johnson"
 
Default Individual developer signing

On Thu, Dec 03, 2009 at 11:32:42AM +0100, Torsten Veller wrote:
> * "Robin H. Johnson" <robbat2@gentoo.org>:
> > The GLEP on Individual developer signing has not made it into a Draft
> > yet.
> >
> > But you can view the very brief version here:
> > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup
>
> [...]
>
> > > 2. Every developer signs everything 100% of the time (make it a QA
> > > check).
> > +1 on this.
>
> In the GLEPs i missed the point where the signatures of Manifests are verified.
> Only the MetaManifest gets verified.
GLEP58:
under "Procedure for verifying an item in the MetaManifest"
4.2: "M2-verifying the contents of the Manifest."

Where "M2-verify" is the verb describing the verification of a Manifest.
It _may_ include signature validation.

> So what's the advantage of individually signed Manifests?
Basically making sure that your SSH keys weren't stolen.
They explicitly protect the commit from the developer to infrastructure.

MetaManifest protects the integrity of the contents from infrastructure
out to the user. It does NOT validate the functionality of the tree or
any prior injection.

> The only thing we can check: Is the key used for signing listed in ldap
> (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap
> really mine?
> Do I miss anything?
Later on I'd like to REJECT unsigned commits.

> BTW: About a third of the Manifests are signed [1]. We didn't improve
> since 2005/2006 [2]. The two parties are working hard against each other [3].
> 55 Manifests are signed by revoked keys [4].
> [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
> [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
> [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
> [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt
Nice graphs. Can you show them over a larger timespan?

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 12-11-2009, 03:32 PM
Torsten Veller
 
Default Individual developer signing

* "Robin H. Johnson" <robbat2@gentoo.org>:
> > BTW: About a third of the Manifests are signed [1]. We didn't improve
> > [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
> > [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
> > [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
> Nice graphs. Can you show them over a larger timespan?

Yes, I recreated them from cvs and the keys available now.
[1] and [3] show the progress for the last year and [4] the history since May
2004.

- In Jan 2008 the transition to Manifest2 was finished and all
signatures were dropped.
- I guess [2] didn't "require-cross-certification" while gnupg now
defaults to "require-cross-certification".
So the number of valid signatures in [4] is lower than in [2].

After the "Manifest2"-break the level is lower.


[4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest-all.png
 

Thread Tools




All times are GMT. The time now is 12:52 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org