From: GP l. <fp...@cl...> - 2007-09-04 20:21:06
|
From: "Robert P. Goldman" <rpg...@si...> Date: Sun, 02 Sep 2007 14:40:00 -0600 I'm not sure I understand the point. Why is it secure for ASDF-Install to invoke gpg to verify a sig, but insecure invoke gpg to fetch and import a key? Is there privilege separation in gpg? I don't think so (but I could be If I remember correctly, the fetch-and-store operation requires write access to the keyfile. The verify process only requires read access. Back when it was pgp, there were a number of lectures on how to be careful with the keyring, to the point of having multiple keyrings. wrong), and if not, it just seems like an inconvenience to make the user invoke gpg from the command-line, instead of letting him or her ask ASDF-Install to do it on his or her behalf. Can't a corrupted ASDF-Install image do whatever it wants with my keyring (or just about anything else), anyway, absent some privilege-limiting framework like SELinux? If you run asdf-install with sufficient privledges, it could do anything. The power of the user/group concept is that different users can have different access levels to various information and commands. For myself, when I use asdf-install to track down all the pieces of sourcecode I need, I only run it within a username with very limited privledges. I'll spend some time on validating the downloaded info, and then move it into a useful place. I spend this time because cleaning and rebuilding my main system will cost much more time. In a VMWare test image or snapshot or other disposable system, I might want the suggested capability you note, if I can easily toss the system if needed. It depends on your assessment of the risk-reward involved. However the additional time cost to a user to invoke an independent key fetch is rather minor[1], so providing such a 'download' feature probably has more risk than reward. I've seen alot of compromised systems and I'd rather not see Common Lisp in that mess. The argument that CL is only a small portion of the computer world sounds just like what Macintosh users said long ago, just before nVIR (a System4 era virus). I've heard we-are-too-small-to-matter repeated several times since, always unsuccessfully. [1] If you do not have multiple usernames with varying access levels on your computer, you might want to make some. For keyrings and other trusted files, it is very helpful to have limited write capability. Under Xwindows, it is very fast for me to switch users. The few times I've tried it with vanilla Microsoft Windows, the user kluge really shows. |