[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Sun Jul 6 14:06:46 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 07/06/2014 11:11 AM, Nico Kadel-Garcia wrote:
>> if you can MITM the content, nothing signed or otherwise is assured to
>> be in any sate.
> First note: in many environments, MITM is how things work normally. In
> others, the routers and proxies and DNS are *not* secured or easily
> re-implemented to be secure, for many, many different reasons. No
> matter how careful you are with git.centos.org itself, it's going to
> be vulnerable to trojaned intermediate repositories being substituted
> because no one at CentOS or Red Hat has enough control over the
> Internet to fix these.

You are repeatedly saying this, but failing to actually quantify it.

your gpg key is pretty much null routed once someone can MITM the
content anyway, and i also assume you realise that a gpg sign is still
with the same sort of code/key as an ssl connection is.

the bottom line is that unless you can get an authoritative manner of
initial keyexchange, that you can absolutely trust, nothing else down
the line is going to be any more secure than the initial handover. I'm
happy to setup a keysign and keyexchange event at every dojo we run, but
even that is likely to only reach a small fraction of the entire userbase.

So the only way to get the originating gpg key ( that you'd verify
against ) is over ssl on the internet, which also implies that having
git.centos.org behind the same leave lof trust puts us no worse off.


Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc