[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: SFTP server for tarballs?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-27 13:30:19
Message-ID: 4BFE73EB.9070709 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 12:10 PM, Scott Kitterman wrote:
>
>
> "Joanna Rutkowska" <joanna@invisiblethingslab.com> wrote:
>
>> On 05/26/2010 03:49 AM, Scott Kitterman wrote:
>>>> Instead of having just one private key, it would be much better for
>>>> every commiter/release-manager or whoever is responsible for building
>>>> the stable tarballs, to generate their own private key and use it for
>>>> signing. Then, there should be one "master signing key" that would be
>>>> kept on some safe machine (perhaps used just for the purpose of
>>>> generating and using this key) and which would be used to sign all the
>>>> "authorized" developers keys. This key (the public portion) would be
>>>> published on kde.org website, and you can also send it to kde-devel
>>>> list, to make it possible for people to obtain it from 2 different
>>>> sources (I guess kde-devel is widely mirrored over internet, so it would
>>>> not be feasible for the attacker to subvert this public key in all the
>>>> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm
>>>> sorry I don't know the management structure of the project) should have
>>>> access to the master signing key.
>>>>
>>> Speaking as an Ubuntu packager, we maintain in transit assurance of
>>> package integrity by retrieving the tarballs via sftp. If someone
>>> can MITM my SSH session, then there's a lot better things they can
>>> do with it than modify KDE tarballs in transit.
>>>
>>
>> That's certainly better than relaying on the SHA1 hash embedded on the
>> plaintext HTML page. But still doesn't help if somebody compromised the
>> KDE's ftp server. You might comfort yourself that this is unlikely to
>> happen, but the reality is simply different ...
>
> Which is why I specified in transit assurance. I agree signing would
> be better, but thought it reasonable to point out that at least part
> of the problem had a reasonable solution in place already.
>
Can you provide the server name you use and its fingerprint for
verification?
Thanks,
joanna.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic