[arch-dev-public] [RFC] Moving repos to nymeria

Florian Pritz bluewind at xinu.at
Sat Sep 15 17:24:57 EDT 2012


On 06.09.2012 19:18, Eric Bélanger wrote:
> On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
>> [2012-09-06 17:39:03 +0200] Florian Pritz:
>>> The idea is to reduce the possible damage an attacker can cause if he
>>> happens to obtain a dev's/TU's ssh key. Without a shell and only a few
>>> whitelisted commands the box should be very safe. That allows us to use
>>> a server stored signing key for the database without having to worry
>>> about someone using a kernel exploit and gaining access to the key.
>>
>> Did we abandon the idea of having packagers download the old DB, check
>> its signature, do changes to it, sign the new DB, and upload it back?
>> Because I would certainly find this much safer and trustworthy than
>> having a black-box server blindly signs anything it is given.
> 
> 
> Agree.
> 
>>
>> And I would also find it too bad to lose the flexibility actual non-root
>> Linux accounts give, such as being able to fix things ourselves when
>> they go wrong (like when pushing to the wrong repo).

Pierre said that we should support using devtools inside screen (db-move
can take quite long) and screen allows to run other commands so limiting
the shells doesn't seem possible right now.

Limiting the shell creates a trusted server which makes signing the
databases way more secure because even if we use remote signing the hash
is calculated on the server.

I understand either way and I don't care if we limit them or not so I'm
not going to argue about that.

-- 
Florian Pritz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20120915/9da7d323/attachment.asc>


More information about the arch-dev-public mailing list