From kde-devel Thu May 27 13:30:19 2010 From: Joanna Rutkowska Date: Thu, 27 May 2010 13:30:19 +0000 To: kde-devel Subject: SFTP server for tarballs? Message-Id: <4BFE73EB.9070709 () invisiblethingslab ! com> X-MARC-Message: https://marc.info/?l=kde-devel&m=127496688415006 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1773399071==" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1773399071== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC361E6BB50AB2EF52909D8E3" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC361E6BB50AB2EF52909D8E3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 05/26/2010 12:10 PM, Scott Kitterman wrote: >=20 >=20 > "Joanna Rutkowska" wrote: >=20 >> On 05/26/2010 03:49 AM, Scott Kitterman wrote: >>>> Instead of having just one private key, it would be much better for >>>> every commiter/release-manager or whoever is responsible for buildin= g >>>> the stable tarballs, to generate their own private key and use it fo= r >>>> signing. Then, there should be one "master signing key" that would b= e >>>> kept on some safe machine (perhaps used just for the purpose of >>>> generating and using this key) and which would be used to sign all t= he >>>> "authorized" developers keys. This key (the public portion) would be= >>>> published on kde.org website, and you can also send it to kde-devel >>>> list, to make it possible for people to obtain it from 2 different >>>> sources (I guess kde-devel is widely mirrored over internet, so it w= ould >>>> not be feasible for the attacker to subvert this public key in all t= he >>>> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'= m >>>> sorry I don't know the management structure of the project) should h= ave >>>> access to the master signing key. >>>> >>> Speaking as an Ubuntu packager, we maintain in transit assurance of >>> package integrity by retrieving the tarballs via sftp. If someone >>> can MITM my SSH session, then there's a lot better things they can >>> do with it than modify KDE tarballs in transit. >>> >> >> That's certainly better than relaying on the SHA1 hash embedded on the= >> plaintext HTML page. But still doesn't help if somebody compromised th= e >> KDE's ftp server. You might comfort yourself that this is unlikely to >> happen, but the reality is simply different ... >=20 > Which is why I specified in transit assurance. I agree signing would > be better, but thought it reasonable to point out that at least part > of the problem had a reasonable solution in place already. >=20 Can you provide the server name you use and its fingerprint for verification? Thanks, joanna. --------------enigC361E6BB50AB2EF52909D8E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkv+c/kACgkQORdkotfEW85FyQCg83x2WKaF3VOStscDfEhA0EwM Aj4AoIb/ExWGvciflwKQdEQcI3bMFfiN =fh7x -----END PGP SIGNATURE----- --------------enigC361E6BB50AB2EF52909D8E3-- --===============1773399071== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << --===============1773399071==--