proj/portage:master commit in: bin/
On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a > Author: Zac Medico <zmedico <AT> gentoo <DOT> org> > AuthorDate: Tue Sep 13 03:20:00 2011 +0000 > Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> > CommitDate: Tue Sep 13 03:20:00 2011 +0000 > URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7 > > repoman: don't sign thin manifests > > Thin manifests imply reliance on the VCS for file integrity, > which implies that manifest signatures are not needed. This is only true after the VCS has signed commits. If the VCS does not have signed commits, then we should have this signature. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
proj/portage:master commit in: bin/
On 09/12/2011 09:38 PM, Robin H. Johnson wrote:
> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote: >> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a >> Author: Zac Medico <zmedico <AT> gentoo <DOT> org> >> AuthorDate: Tue Sep 13 03:20:00 2011 +0000 >> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> >> CommitDate: Tue Sep 13 03:20:00 2011 +0000 >> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7 >> >> repoman: don't sign thin manifests >> >> Thin manifests imply reliance on the VCS for file integrity, >> which implies that manifest signatures are not needed. > > This is only true after the VCS has signed commits. > > If the VCS does not have signed commits, then we should have this > signature. So, should we add the ability to set "signed-manifests = false" in metadata/layout.conf? I can imagine that people using thin-manifests typically don't want signed-manifests, since it tends the introduce merge conflicts like those that thin-manifests is supposed to avoid. -- Thanks, Zac |
proj/portage:master commit in: bin/
On 09/12/2011 10:30 PM, Zac Medico wrote:
> On 09/12/2011 09:38 PM, Robin H. Johnson wrote: >> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote: >>> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a >>> Author: Zac Medico <zmedico <AT> gentoo <DOT> org> >>> AuthorDate: Tue Sep 13 03:20:00 2011 +0000 >>> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> >>> CommitDate: Tue Sep 13 03:20:00 2011 +0000 >>> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7 >>> >>> repoman: don't sign thin manifests >>> >>> Thin manifests imply reliance on the VCS for file integrity, >>> which implies that manifest signatures are not needed. >> >> This is only true after the VCS has signed commits. >> >> If the VCS does not have signed commits, then we should have this >> signature. > > So, should we add the ability to set "signed-manifests = false" in > metadata/layout.conf? I can imagine that people using thin-manifests > typically don't want signed-manifests, since it tends the introduce > merge conflicts like those that thin-manifests is supposed to avoid. I've implemented "signed-manifests = false" here: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=9cb089047e10b300100e7bbdc42 74ecf8866b0bb -- Thanks, Zac |
proj/portage:master commit in: bin/
On Mon, Sep 12, 2011 at 10:50:30PM -0700, Zac Medico wrote:
> On 09/12/2011 10:30 PM, Zac Medico wrote: > > On 09/12/2011 09:38 PM, Robin H. Johnson wrote: > >> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote: > >>> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a > >>> Author: Zac Medico <zmedico <AT> gentoo <DOT> org> > >>> AuthorDate: Tue Sep 13 03:20:00 2011 +0000 > >>> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> > >>> CommitDate: Tue Sep 13 03:20:00 2011 +0000 > >>> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7 > >>> > >>> repoman: don't sign thin manifests > >>> > >>> Thin manifests imply reliance on the VCS for file integrity, > >>> which implies that manifest signatures are not needed. > >> > >> This is only true after the VCS has signed commits. > >> > >> If the VCS does not have signed commits, then we should have this > >> signature. > > > > So, should we add the ability to set "signed-manifests = false" in > > metadata/layout.conf? I can imagine that people using thin-manifests > > typically don't want signed-manifests, since it tends the introduce > > merge conflicts like those that thin-manifests is supposed to avoid. > > I've implemented "signed-manifests = false" here: > > http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=9cb089047e10b300100e7bbdc42 74ecf8866b0bb Thanks, that's very useful for working on it, and probably the best solution. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
proj/portage:master commit in: bin/
On Tue, Sep 13, 2011 at 04:38:35AM +0000, Robin H. Johnson wrote:
> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote: > > commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a > > Author: Zac Medico <zmedico <AT> gentoo <DOT> org> > > AuthorDate: Tue Sep 13 03:20:00 2011 +0000 > > Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> > > CommitDate: Tue Sep 13 03:20:00 2011 +0000 > > URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7 > > > > repoman: don't sign thin manifests > > > > Thin manifests imply reliance on the VCS for file integrity, > > which implies that manifest signatures are not needed. > > This is only true after the VCS has signed commits. > > If the VCS does not have signed commits, then we should have this > signature. This really doesn't provide for much; without a chain of trust to the content of layout.conf, you can't toggle behaviour (making lack of signing a failure) for example. So the manager has to either trust the VCS validity, or require accept mixed signed/unsigned (which opens a new branch of attacks). Worse, what this tries to protect against is the VCS being screwed with- by definition, thin defers that to the VCS, instead providing the data of what the VCS cannot, the distfiles checksums. If an attack on the VCS can be done (whether SHA1 breakage, or just in the middle branch injection), an attacker can just as easily inject in a patch to files/ along w/ a modification to the ebuild to include that trojan. It's a bit harsher than I'd like, but signed thin manifests are security theater as best I can tell. While I grok your concerns, it would be *very* useful to know exactly what attacks a signed manifest precludes that a thin manifest doesn't; all I see is remote distfiles manipulation w/ a branch injection; that same injection can just as easily mangle profile.bashrc, the ebuild itself, or slip patches into files. If it doesn't actually do anything, it should be disabled. On the portage front, this just change portage behaviour to defaulting to signing, rather than configuration based- very least that deserves a PSA notice... ~brian |
proj/portage:master commit in: bin/
On 09/13/2011 11:50 AM, Brian Harring wrote:
> On the portage front, this just change portage behaviour to defaulting > to signing, rather than configuration based- very least that deserves > a PSA notice... Whether or not repoman actually signs the manifest is still conditional on "sign" in FEATURES. What I've done is added the ability to disable manifest signatures at the repository level by setting "sign-manifests = false" in metadata/layout.conf. -- Thanks, Zac |
| All times are GMT. The time now is 02:44 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.