FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Portage Developer

 
 
LinkBack Thread Tools
 
Old 09-13-2011, 04:38 AM
"Robin H. Johnson"
 
Default proj/portage:master commit in: bin/

On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a
> Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
> AuthorDate: Tue Sep 13 03:20:00 2011 +0000
> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
> CommitDate: Tue Sep 13 03:20:00 2011 +0000
> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7
>
> repoman: don't sign thin manifests
>
> Thin manifests imply reliance on the VCS for file integrity,
> which implies that manifest signatures are not needed.

This is only true after the VCS has signed commits.

If the VCS does not have signed commits, then we should have this
signature.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 09-13-2011, 05:30 AM
Zac Medico
 
Default proj/portage:master commit in: bin/

On 09/12/2011 09:38 PM, Robin H. Johnson wrote:
> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
>> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a
>> Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
>> AuthorDate: Tue Sep 13 03:20:00 2011 +0000
>> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
>> CommitDate: Tue Sep 13 03:20:00 2011 +0000
>> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7
>>
>> repoman: don't sign thin manifests
>>
>> Thin manifests imply reliance on the VCS for file integrity,
>> which implies that manifest signatures are not needed.
>
> This is only true after the VCS has signed commits.
>
> If the VCS does not have signed commits, then we should have this
> signature.

So, should we add the ability to set "signed-manifests = false" in
metadata/layout.conf? I can imagine that people using thin-manifests
typically don't want signed-manifests, since it tends the introduce
merge conflicts like those that thin-manifests is supposed to avoid.
--
Thanks,
Zac
 
Old 09-13-2011, 05:50 AM
Zac Medico
 
Default proj/portage:master commit in: bin/

On 09/12/2011 10:30 PM, Zac Medico wrote:
> On 09/12/2011 09:38 PM, Robin H. Johnson wrote:
>> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
>>> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a
>>> Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
>>> AuthorDate: Tue Sep 13 03:20:00 2011 +0000
>>> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
>>> CommitDate: Tue Sep 13 03:20:00 2011 +0000
>>> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7
>>>
>>> repoman: don't sign thin manifests
>>>
>>> Thin manifests imply reliance on the VCS for file integrity,
>>> which implies that manifest signatures are not needed.
>>
>> This is only true after the VCS has signed commits.
>>
>> If the VCS does not have signed commits, then we should have this
>> signature.
>
> So, should we add the ability to set "signed-manifests = false" in
> metadata/layout.conf? I can imagine that people using thin-manifests
> typically don't want signed-manifests, since it tends the introduce
> merge conflicts like those that thin-manifests is supposed to avoid.

I've implemented "signed-manifests = false" here:

http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=9cb089047e10b300100e7bbdc42 74ecf8866b0bb

--
Thanks,
Zac
 
Old 09-13-2011, 08:22 AM
"Robin H. Johnson"
 
Default proj/portage:master commit in: bin/

On Mon, Sep 12, 2011 at 10:50:30PM -0700, Zac Medico wrote:
> On 09/12/2011 10:30 PM, Zac Medico wrote:
> > On 09/12/2011 09:38 PM, Robin H. Johnson wrote:
> >> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
> >>> commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a
> >>> Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
> >>> AuthorDate: Tue Sep 13 03:20:00 2011 +0000
> >>> Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
> >>> CommitDate: Tue Sep 13 03:20:00 2011 +0000
> >>> URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7
> >>>
> >>> repoman: don't sign thin manifests
> >>>
> >>> Thin manifests imply reliance on the VCS for file integrity,
> >>> which implies that manifest signatures are not needed.
> >>
> >> This is only true after the VCS has signed commits.
> >>
> >> If the VCS does not have signed commits, then we should have this
> >> signature.
> >
> > So, should we add the ability to set "signed-manifests = false" in
> > metadata/layout.conf? I can imagine that people using thin-manifests
> > typically don't want signed-manifests, since it tends the introduce
> > merge conflicts like those that thin-manifests is supposed to avoid.
>
> I've implemented "signed-manifests = false" here:
>
> http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=9cb089047e10b300100e7bbdc42 74ecf8866b0bb
Thanks, that's very useful for working on it, and probably the best
solution.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 09-13-2011, 06:50 PM
Brian Harring
 
Default proj/portage:master commit in: bin/

On Tue, Sep 13, 2011 at 04:38:35AM +0000, Robin H. Johnson wrote:
> On Tue, Sep 13, 2011 at 03:20:35AM +0000, Zac Medico wrote:
> > commit: 677240f7b3db66bdcd403c214e5d3fa30e31a24a
> > Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
> > AuthorDate: Tue Sep 13 03:20:00 2011 +0000
> > Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
> > CommitDate: Tue Sep 13 03:20:00 2011 +0000
> > URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=677240f7
> >
> > repoman: don't sign thin manifests
> >
> > Thin manifests imply reliance on the VCS for file integrity,
> > which implies that manifest signatures are not needed.
>
> This is only true after the VCS has signed commits.
>
> If the VCS does not have signed commits, then we should have this
> signature.

This really doesn't provide for much; without a chain of trust to the
content of layout.conf, you can't toggle behaviour (making lack of
signing a failure) for example. So the manager has to either trust
the VCS validity, or require accept mixed signed/unsigned (which opens
a new branch of attacks).

Worse, what this tries to protect against is the VCS being screwed
with- by definition, thin defers that to the VCS, instead providing
the data of what the VCS cannot, the distfiles checksums.

If an attack on the VCS can be done (whether SHA1 breakage, or just
in the middle branch injection), an attacker can just as easily
inject in a patch to files/ along w/ a modification to the ebuild to
include that trojan. It's a bit harsher than I'd like, but
signed thin manifests are security theater as best I can tell.

While I grok your concerns, it would be *very* useful to know
exactly what attacks a signed manifest precludes that a thin
manifest doesn't; all I see is remote distfiles manipulation w/
a branch injection; that same injection can just as easily
mangle profile.bashrc, the ebuild itself, or slip patches into
files.

If it doesn't actually do anything, it should be disabled.

On the portage front, this just change portage behaviour to defaulting
to signing, rather than configuration based- very least that deserves
a PSA notice...

~brian
 
Old 09-13-2011, 09:07 PM
Zac Medico
 
Default proj/portage:master commit in: bin/

On 09/13/2011 11:50 AM, Brian Harring wrote:
> On the portage front, this just change portage behaviour to defaulting
> to signing, rather than configuration based- very least that deserves
> a PSA notice...

Whether or not repoman actually signs the manifest is still conditional
on "sign" in FEATURES. What I've done is added the ability to disable
manifest signatures at the repository level by setting "sign-manifests =
false" in metadata/layout.conf.
--
Thanks,
Zac
 

Thread Tools




All times are GMT. The time now is 06:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org