Open Stack

Excerpts from Mike Spreitzer's message of 2013-09-20 07:46:47 -0700:
> What's the threat model here?
> 

Right now most verification loops in OpenStack rely on SSL and the PKI
that it brings along.

This is vulnerable to centralized compromise on several levels, and does
not help if the server itself is compromised. Rubygems anyone?

However, if I have verified the keys that have signed the git tags,
I can make use of that git repo with confidence. It does not matter if
all of the OpenStack infra is compromised, they can't fake signing stuff
with my key unless they have it.

Also if we are auto-signing anything, the infra team can sign the
key for the auto-signer, so we can also secure any mirrored copies of
automatically built artifcats against server side tampering.