On 06.09.2012 19:18, Eric Bélanger wrote:
On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2012-09-06 17:39:03 +0200] Florian Pritz:
The idea is to reduce the possible damage an attacker can cause if he happens to obtain a dev's/TU's ssh key. Without a shell and only a few whitelisted commands the box should be very safe. That allows us to use a server stored signing key for the database without having to worry about someone using a kernel exploit and gaining access to the key.
Did we abandon the idea of having packagers download the old DB, check its signature, do changes to it, sign the new DB, and upload it back? Because I would certainly find this much safer and trustworthy than having a black-box server blindly signs anything it is given.
Agree.
And I would also find it too bad to lose the flexibility actual non-root Linux accounts give, such as being able to fix things ourselves when they go wrong (like when pushing to the wrong repo).
Pierre said that we should support using devtools inside screen (db-move can take quite long) and screen allows to run other commands so limiting the shells doesn't seem possible right now. Limiting the shell creates a trusted server which makes signing the databases way more secure because even if we use remote signing the hash is calculated on the server. I understand either way and I don't care if we limit them or not so I'm not going to argue about that. -- Florian Pritz