Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

["Eugene V. Lyubimkin" <jackyf@debian.org>]

Hi,

[ please don't CC me directly ]

On 23.10.2016 17:20, Kristian Erik Hermansen wrote:
> On Sun, Oct 23, 2016 at 7:23 AM, Eugene V. Lyubimkin <jackyf@debian.org> wrote:
>> I'm a developer of a tool which downloads and validates Debian archives
>> in a similar way APT does.
>>
>> As you use the word "theoretically", that suggests that practically
>> one can bypass the validation. Could you please list all numerous ways
>> to bypass it, so we'd fix our software?
> 
> I will detail more recent issues in the future, but just to start:

Thank you for the long list of examples what could go wrong. I'm happy I don't have urgent fixes to apply.

Things you mentioned seem to fall into one of the following categories:

1) Checking chain (e.g. gpgv and its callers) have bugs. True, same as checking layer for secure transports also have bugs.

1a) If an user downloads keys not via packages, downloading may go wrong. True. If I use debian-archive-keyring, I'm fine.

2) Downloading clients have bugs. True.

3) Content of packages themselves may be unsecure if they trust some third-party HTTP hosts for downloading their own
stuff. True, but not relevant to the topic of checking package integrity.

4) If an user got one malicious key, game is over. True, but so it is if an user got one malicious repo server --
maintainer scripts from any package have root access to all of your system.


I'm not sure that benefits outweight the costs. HTTPS requires that I trust the third-parties -- mirror provider and CA.
Gpgv doesn't require third parties. To me, that makes HTTPS (even with HPKP) principally weaker than offline
medium-agnostic cryptographic content checks. Or I am wrong here, will the suggested HTTPS+HPKP+... scheme protect me
from government players?