--- xml/htdocs/proj/en/glep/glep-0057.html 2008/10/21 23:30:47 1.1 +++ xml/htdocs/proj/en/glep/glep-0057.html 2010/02/07 16:24:17 1.6 @@ -4,7 +4,7 @@- +
Both processes need their security improved. In [GLEPxx+2] we will discuss +
Both processes need their security improved. In [#GLEPxx+2] we will discuss how to improve the security of the first process. The relatively speaking simpler process of file distribution will be described in -[GLEPxx+1]. Since it can be implemented without having to change the +[#GLEP58]. Since it can be implemented without having to change the workflow and behaviour of developers we hope to get it done in a reasonably short timeframe.
This security is still limited in scope - protection against compromised developers is very expensive, and even complex systems like peer review / multiple signatures can be broken by colluding developers. There are many @@ -220,7 +224,7 @@ that Gentoo infrastructure and the mirrors are not a weak point. This objective is actually much closer than it seems already - most of the work has been completed for other things!. This is further discussed in -[GLEP58]. As this process has the most to gain in security, and the +[#GLEP58]. As this process has the most to gain in security, and the most immediate impact, it should be implemented before or at the same time as any changes to process #1. Security at this layer is already available in the signed daily snapshots, but we can extend it to cover @@ -335,7 +339,7 @@
2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which Ciaran reminds everybody that simply making all the developers sign the -tree is not sufficent to prevent all attacks. +tree is not sufficient to prevent all attacks. [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ]
2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review @@ -365,10 +369,15 @@
[#GLEPxx+2] Future GLEP on Developer Process security. +[#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.
Copyright (c) 2006 by Robin Hugh Johnson. This material may be +
Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0.
vim: tw=72 ts=2 expandtab:@@ -378,7 +387,7 @@