Gnome.org's crypto infrastructure

From: Federico Mena Quintero <federico gnome org>
To: desktop-devel-list <desktop-devel-list gnome org>
Subject: Gnome.org's crypto infrastructure
Date: Thu, 03 Jul 2014 17:47:06 -0500

Hi, all,

This mail is intended for brainstorming some ideas before GUADEC.  It's
not to decide anything and set it in stone.

I've been preparing my GUADEC talk about crypto infrastructure for
newbies, and I've started to realize that it may be useful for gnome.org
to have an "official", publicly-documented crypto infrastructure of its
own.

Here is a set of somewhat related ideas:

* GNOME releases tarballs of source code.  Maintainers regularly post
checksums of their tarballs along with their announcement emails.  Until
now, I'm not sure if we have had the need to *guarantee* that a
particular release of code is authentic.  For example, we don't actually
crypto-sign tarballs like the Tor project would --- in their case,
whoever downloads the code *really* wants to ensure that it hasn't been
tampered with.  Again, I'm not sure if we have such kind of
security-conscious code, but maybe we could start crypto-signing our
tarballs.  Which brings me to...

* Identity in the GNOME project.  We have keysigning parties at GUADEC.
Some maintainers actually sign their tarball announcement emails, so if
you have their GPG public key (and if they posted a checksum of their
tarball in their email), you can actually verify whether a tarball is
pristine.  I doubt that anyone actually does this sort of checking ;)

* If we ever get an infrastructure to publish compiled "apps", what with
all the sandboxing stuff being worked on, will we need harder guarantees
about authentic binaries and code?

* Would it be useful / trustworthy to have a gnome.org-specific GPG
keyserver?  One that cannot be poisoned like public keyservers?  (I
don't really know how to do this, but if only people with SSH keys can
push to git.gnome.org, maybe we can do something similar for a
keyserver...).

* Would app authors need certificates?  Should gnome.org be able to
issue certificates (and should we ship our Certificate Authority
information somewhere)?

* Can we have some sort of synergy with keybase.io?

* There is a public key in the keyservers for secresp gnome org, but as
far as I can tell it has no signatures.  How would people verify it?
(AFAICT it was announced here:
https://mail.gnome.org/archives/infrastructure-announce/2013-November/msg00001.html)

* Should we have a web page linking to GNOME's important public keys and
such?  (The ones you would use to encrypt reports of security bugs and
such.)

* (I know Debian has well-documented procedures for signing things and
such; I'm sure we can copy those procedures for some things.)

Again, these are just questions or ideas for now.  Any input is
appreciated.  All the (conflicting) information about crypto-related
matters out there on the web is giving me the biggest case of impostor
syndrome ever :)

  Federico

Follow-Ups:
- Re: Gnome.org's crypto infrastructure
  - From: Allan Day
- Re: Gnome.org's crypto infrastructure
  - From: Ray Strode

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]