Re: [cclan-list] (no subject)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

   From: "Robert P. Goldman" <rpg...@si...>
   Date: Sun, 02 Sep 2007 14:40:00 -0600

   I'm not sure I understand the point. Why is it secure for ASDF-Install to 
   invoke gpg to verify a sig, but insecure invoke gpg to fetch and import a 
   key? Is there privilege separation in gpg? I don't think so (but I could be 

If I remember correctly, the fetch-and-store operation requires write
access to the keyfile.  The verify process only requires read access.
Back when it was pgp, there were a number of lectures on how to be
careful with the keyring, to the point of having multiple keyrings.

   wrong), and if not, it just seems like an inconvenience to make the user 
   invoke gpg from the command-line, instead of letting him or her ask 
   ASDF-Install to do it on his or her behalf. 

   Can't a corrupted ASDF-Install image do whatever it wants with my keyring 
   (or just about anything else), anyway, absent some privilege-limiting 
   framework like SELinux?

If you run asdf-install with sufficient privledges, it could do
anything.  The power of the user/group concept is that different users
can have different access levels to various information and commands.

For myself, when I use asdf-install to track down all the pieces of
sourcecode I need, I only run it within a username with very limited
privledges.  I'll spend some time on validating the downloaded info,
and then move it into a useful place.  I spend this time because
cleaning and rebuilding my main system will cost much more time.  In a
VMWare test image or snapshot or other disposable system, I might want
the suggested capability you note, if I can easily toss the system if
needed.  It depends on your assessment of the risk-reward involved.

However the additional time cost to a user to invoke an independent
key fetch is rather minor[1], so providing such a 'download' feature
probably has more risk than reward.  I've seen alot of compromised
systems and I'd rather not see Common Lisp in that mess.  The argument
that CL is only a small portion of the computer world sounds just like
what Macintosh users said long ago, just before nVIR (a System4 era
virus).  I've heard we-are-too-small-to-matter repeated several times
since, always unsuccessfully.

[1] If you do not have multiple usernames with varying access levels
on your computer, you might want to make some.  For keyrings and other
trusted files, it is very helpful to have limited write capability.
Under Xwindows, it is very fast for me to switch users. The few times
I've tried it with vanilla Microsoft Windows, the user kluge really
shows.