Rich Freeman posted on Sun, 01 May 2011 19:43:48 -0400 as excerpted: > On Sun, May 1, 2011 at 7:31 PM, Brian Harring <ferri...@gmail.com> > wrote: >> Get at that key, and you've got the tree, versus the current form, >> crack all signing keys and you've got the tree. > > Well, more like get any one of the keys and you get the tree, since > portage only validates that a trusted key signed a package, and not that > the key belonged to the package maintainer.
OK, so everything in a manifest signs together, and if the changelog as-is gets server-signed, so does the rest of the manifest. I see the problem there, but there are ways around it. As I said, changes may be necessary, but they aren't huge compared to the scope of the whole idea. What about having the server-generated changelogs separate from the rest of the package, say in a changelogs dir, one such dir per category with for example portage's changelog then located at sys-apps/changelogs/portage, thus preventing between-category naming collisions (we've been there!)? Then the server could generate and sign the changelogs without interfering with the package manifests and their signatures. The changelogs would all be signed by the same key, but it wouldn't be used for signing anything else, thus not interfering with actual package security at all. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
