Hi to all!
I've recently seen the outbreak of "violence" concerning signing packages or
rather files in the Gentoo portage system. I am currently working on a system
which does exactly this signing process with an addon library I've written
myself (so, no need for gpg, just Python + module). I've devised quite an
intricate scheme of checks and balances, which amounts to the following:
1. have a master "Gentoo" key, which is kept by the Gentoo RelEng, which only
signs other keys and a list of keys removed from circulation, no ebuilds.
2. have each developer create a keypair for themselves, send their public key
to the RelEng via some form of _safe_ channel (this is important), and have
the RelEng send back the signed key to the developer.
3. have each developer sign his/her packages with their own key.
Keys are distributed via a P2P network with large-scale replication, just as
are files from the portage tree. As there is large-scale replication (not
just some hundred servers, but rather thousands of them), and each user can
check whether the file he/she receives is valid (by verifying the signature
on the key which was found to have a correct signature on the corresponding
file), there'll be no corruption of the data on the network (at least it'll
be very hard to achieve), as invalid data sent to a remote host for
caching/processing is simply discarded. And, to have control over the system
(well, rather to DOS it), an attacker would have to inject lots of machines
under his control into the system (so that he could forge certain areas of
the distributed hash table address space). But this is near impossible for a
large scale network.
The only key which needs to be distributed in a safe form is the Gentoo master
key, which is used to sign all other keys. This is similar to distributing a
CA key, and should be easy to implement (for example, if you don't trust your
network connection, order the one single key on CD via snail-mail).
Anyway, if anybody is interested in working on this with me, mail me. I don't
have much time at the moment, and I've been working on this about half a year
now, but I guess as the end of year draws nearer, I might actually be getting
somewhere near a working implementation of this sometime soon, and should be
there even faster if someone else is interested in making it work with me.
Concerning security: read up on Kademlia, and its near indestructibility when
many hosts are attached and the large attack base needed to DOS it (and I
guess that many Gentoo users who have a permanent/near permanent internet
connection will gladly offer up a little bandwith to create a large
distributed hash table, at least I would).
And on another note: this makes overlays unnecessary. At least in my theory
everybody may inject ebuilds signed with his key into the system (each host
accepts a certain amount of "non-Gentoo" ebuilds), and each user may decide
that he trusts a certain non-Gentoo ebuild writer so much that he wants these
ebuilds integrated into the main portage tree (so that they are not discarded
when being downloaded). This is pretty much like an overlay, but invisible to
the user, and more transparent.
Anyway, my english is bad tonight, I'm tired from being at university the
whole day, and I have two exams this week, but anyway, if you're interested
in this, just mail me, and I'll gladly send you the sources I have ready,
they're written using Twisted and Sophie
(http://www.heim-d.de/~heikowu/Crypto), both Python modules which are pretty
lightweight to install additionally to Python itself.
Heiko.
--
gentoo-security@gentoo.org mailing list
I've recently seen the outbreak of "violence" concerning signing packages or
rather files in the Gentoo portage system. I am currently working on a system
which does exactly this signing process with an addon library I've written
myself (so, no need for gpg, just Python + module). I've devised quite an
intricate scheme of checks and balances, which amounts to the following:
1. have a master "Gentoo" key, which is kept by the Gentoo RelEng, which only
signs other keys and a list of keys removed from circulation, no ebuilds.
2. have each developer create a keypair for themselves, send their public key
to the RelEng via some form of _safe_ channel (this is important), and have
the RelEng send back the signed key to the developer.
3. have each developer sign his/her packages with their own key.
Keys are distributed via a P2P network with large-scale replication, just as
are files from the portage tree. As there is large-scale replication (not
just some hundred servers, but rather thousands of them), and each user can
check whether the file he/she receives is valid (by verifying the signature
on the key which was found to have a correct signature on the corresponding
file), there'll be no corruption of the data on the network (at least it'll
be very hard to achieve), as invalid data sent to a remote host for
caching/processing is simply discarded. And, to have control over the system
(well, rather to DOS it), an attacker would have to inject lots of machines
under his control into the system (so that he could forge certain areas of
the distributed hash table address space). But this is near impossible for a
large scale network.
The only key which needs to be distributed in a safe form is the Gentoo master
key, which is used to sign all other keys. This is similar to distributing a
CA key, and should be easy to implement (for example, if you don't trust your
network connection, order the one single key on CD via snail-mail).
Anyway, if anybody is interested in working on this with me, mail me. I don't
have much time at the moment, and I've been working on this about half a year
now, but I guess as the end of year draws nearer, I might actually be getting
somewhere near a working implementation of this sometime soon, and should be
there even faster if someone else is interested in making it work with me.
Concerning security: read up on Kademlia, and its near indestructibility when
many hosts are attached and the large attack base needed to DOS it (and I
guess that many Gentoo users who have a permanent/near permanent internet
connection will gladly offer up a little bandwith to create a large
distributed hash table, at least I would).
And on another note: this makes overlays unnecessary. At least in my theory
everybody may inject ebuilds signed with his key into the system (each host
accepts a certain amount of "non-Gentoo" ebuilds), and each user may decide
that he trusts a certain non-Gentoo ebuild writer so much that he wants these
ebuilds integrated into the main portage tree (so that they are not discarded
when being downloaded). This is pretty much like an overlay, but invisible to
the user, and more transparent.
Anyway, my english is bad tonight, I'm tired from being at university the
whole day, and I have two exams this week, but anyway, if you're interested
in this, just mail me, and I'll gladly send you the sources I have ready,
they're written using Twisted and Sophie
(http://www.heim-d.de/~heikowu/Crypto), both Python modules which are pretty
lightweight to install additionally to Python itself.
Heiko.
--
gentoo-security@gentoo.org mailing list