[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Mon Jul 7 02:52:39 UTC 2014
Chris St. Pierre <chris.a.st.pierre at gmail.com>

On Sun, Jul 6, 2014 at 9:42 PM, Mark Mielke <mark.mielke at gmail.com> wrote:

> If you don't believe security is possible... that's fine. Because perfect
> security is impossible. But, that doesn't mean people shouldn't try. CentOS
> *does* sign SRPM, do they not? Why do they do this? Obviously, somebody
> believes this aspect is important?
>

CentOS *produces* the SRPMs.  They should sign them -- it verifies that
this is the SRPM CentOS built, not something masquerading as such.  It
makes no guarantee as to the content or provenance of the sources, though,
beyond the degree to which we already trust CentOS.

Signing the sources is an entirely different matter, since CentOS did not
populate them and has no way to verify them independently of the upstream
producer.  We want a signed tag on the git repo in order to guarantee that
these are the sources that upstream provided, not something masquerading as
such.  A signed tag from CentOS only certifies that these are the sources
CentOS *thinks* upstream provided, which really truly is worth fuck-all
because the chain of trust was broken by *upstream*.

It seems like some people just want to do what they're already doing (for
> better or for worse) and it doesn't really matter what the request is, or
> the merit of the request.  Which is fine... but just please admit to it.
>

To be clear, I'm not doing anything.  I just like mailing lists with good
SNR.  If I was a CentOS core dev, I already would have written a script to
push a cryptographically signed tag to every repo, which would be
completely useless because, again, the chain of trust was broken by
*upstream*.


> Yes, the upstream vendor should be asked. That doesn't really add or
> remove merit to CentOS signing any tags that CentOS creates.
>

Actually, it does.  If CentOS signs a known delta to an unknown (or at
least unproven) base, that isn't actually valuable.  I.e., only if upstream
can be convinced to sign their tags would it be useful for CentOS to do the
same.  Until then, a signed tag from CentOS just tells us that someone
trusted made a change to something untrusted, and the net result is still
untrusted because -- say it with me this time -- the chain of trust was
broken by *upstream*.


> I'll warn you, though, since the specter of the all-powerful NSA was
>> raised: they already have Red Hat's signing keys.  And yours, too.
>>
>
> They might... but it really sounds like you are saying that because it is
> possible for NSA to get past any security, therefore no security makes
> perfect sense. It sounds like extending your thinking would conclude that
> signing the SRPM is also useless. And for this... if you really do think
> this... I think you are quite wrong.
>

My only beef is with any security model that has to resort to magic (or the
NSA, they're the same in this context) to explain the threat.  Especially
when that model proposes to close the barn door after the horse is already
gone.

-- 
Chris St. Pierre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140706/3f39e197/attachment-0007.html>