[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Mon Jul 7 01:42:23 UTC 2014
Mark Mielke <mark.mielke at gmail.com>

On Sun, Jul 6, 2014 at 9:04 PM, Chris St. Pierre <
chris.a.st.pierre at gmail.com> wrote:

> There's been a lot of discussion on this, which is surprising given that
> this is the wrong place for it.  Maybe next we can discuss how to improve
> AutoYAST or IIS.
> Some people seem to have forgotten that CentOS, despite the recent change
> in employment status of several of its core members, is the *downstream*
> rebuilder.  They get their sources via git.centos.org from a prominent
> North American Linux reseller, just like the rest of us.
> Read that again: CentOS is not special.  They are *consumers* of the
> sources, not the producers.

You have some interesting points... but, this discussion is just as
important for consumers as for producers, and CentOS is both a consumer
*and* a producer, as are many other downstream distros based upon upstream

If you don't believe security is possible... that's fine. Because perfect
security is impossible. But, that doesn't mean people shouldn't try. CentOS
*does* sign SRPM, do they not? Why do they do this? Obviously, somebody
believes this aspect is important?

It seems like some people just want to do what they're already doing (for
better or for worse) and it doesn't really matter what the request is, or
the merit of the request.  Which is fine... but just please admit to it.

> So if CentOS pushed a zillion signed tags to git.centos.org, that'd only
> mean that CentOS trusts those sources.  If, as Nico suggested,
> git.centos.org was pwned, then CentOS just certified bogus sources.  IOW,
> a signed tag from Jim, or Johnny, or KB, or any of the other CentOS devs
> means precisely fuck-all, and not a bit more, because they get the sources
> through the EXACT SAME distribution channel that the rest of us do.  CentOS
> is not special, they just look that way.  Really, if this is the assurance
> you want, just add your own signed tags to your local repo -- it's just as
> meaningful.
> What do we want?  FUCK-ALL!  When do we want it?  NOW!

You are right about "just add your own signed tags". Actually, everybody
who derives should sign what their derived works. That makes it possible to
track back if or when something bad does happen, and we can see where the
problem was introduced. So RedHat should sign their tags, and CentOS should
sign any tags that they create. It's not "FUCK-ALL"... It's evidence that a
particular process was followed that was approved by a particular person.
It's a paper trail that is more difficult to forge. It's not different from
a signature on a form authorizing a change. Yes they can be forged... but
that doesn't mean that "no signature" is better than "signature that can
theoretically be forged".

> If you want *actual* cryptographic assurance that the sources you're
> grabbing from git.centos.org are the same sources pushed there by the
> *upstream* vendor, maybe, just maybe, you should ask that upstream vendor.
>  Otherwise it's just garbage in, garbage out, and they're only certifying
> that the sources you download match the sources someone else downloaded.  I
> guess misery loves company, but that sure doesn't seem helpful.

Yes, the upstream vendor should be asked. That doesn't really add or remove
merit to CentOS signing any tags that CentOS creates.

> I'll warn you, though, since the specter of the all-powerful NSA was
> raised: they already have Red Hat's signing keys.  And yours, too.

They might... but it really sounds like you are saying that because it is
possible for NSA to get past any security, therefore no security makes
perfect sense. It sounds like extending your thinking would conclude that
signing the SRPM is also useless. And for this... if you really do think
this... I think you are quite wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140706/86c02e85/attachment-0007.html>