Date: Tue, 7 May 2002 14:48:33 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: SolarfluX <solarflux@ziplip.com> Cc: security@freebsd.org Subject: ports signing, Was: cvsup/install over ssh? Message-ID: <20020507144833.L15411@mail.webmonster.de> In-Reply-To: <AF13VLYGFIOSYBQGVND1RLAF2CWRUCWTJKP50WBP@ziplip.com>; from solarflux@ziplip.com on Mon, May 06, 2002 at 02:05:48PM -0700 References: <AF13VLYGFIOSYBQGVND1RLAF2CWRUCWTJKP50WBP@ziplip.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] SolarfluX(solarflux@ziplip.com)@2002.05.06 14:05:48 +0000: > Why doesn't cvsup have the option to be encrypted via ssh like anoncvs does? ipsec(4) > How about an option to install over an encrypted connection? setkey(8) > Would anyone consider implementing either of these suggestions? main question: what problem do you want to solve with it? on a high-volume download site i wouldn't even think about implementing payload signing/encryption on the network layer. the cost of cpu cycles in such an environment is much too high. as hardware gets faster and cheaper, it might become reality. perhaps someday, there will be tokens and configuration info available for ftp.freebsd.org, but what about the mirrors? trust, authenticity, integrity must be maintained throughout the infrastructure. this is not possible through only encryption on the network layer. in ports' distfiles, checksums are used already, but only to have control over source archive integrity, not really authenticity (this would imply the ports tree itself being signed, or elements of it, using some PKCS variant). what i could imagine is a "checksig" target in the ports tree, but this has the following implications: - one additional .sig/.asc file per port - gnupg must be installed to be able to check, first (but this could already be a tampered version, that gives an "OK" everytime) - each port maintainer must have a private key and gnupg to sign his port(s) - a publicly available web of trust containing cross-signed pubkeys of the maintainers needs to be made available (and managed) - the maintainer's mailbox will most certainly fill up with "port <name> is not signed" or whatelse obscure messages when the system is freshly deployed thinking about it, it looks like worth thinking about it a little further. opinions? flames? regards, /k -- > The life uncaffeinated is not worth living. --Michael Han WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE8180gs5Nr9N7JSKYRAieWAKCs0Aby8JrKX4Wu056rU5LjqE/lvgCfb3iO I0koDrVu76V+zfKL1AZJ5r4= =PIbP -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020507144833.L15411>