Re: Signing Packages.gz

To: Chris Frey <cdfrey@foursquare.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 1 Apr 2000 16:04:27 +0200
Message-id: <20000401160427.F309@ulysses.dhis.net>
In-reply-to: <20000328004121.R30466@foursquare.net>; from cdfrey@foursquare.net on Tue, Mar 28, 2000 at 12:41:22AM -0500
References: <20000328004121.R30466@foursquare.net>

On Tue, Mar 28, 2000 at 12:41:22AM -0500, Chris Frey wrote:
> 
> Quoting from the mailing list archives... :-)
> 
> Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> wrote:
> > On Sun, Mar 26, 2000 at 09:00:34AM +1000, Anthony Towns wrote:
> > > The whole file --- verifying each entry would take at least three minutes
> > 
> > I don't think it is useful to sign the Packages file, because:
> > 
> > > Whose key should be used? Probably a special one just for dinstall,
> > > that's kept fairly securely by the Novare and -admin folks, and revoked
> > > regularly.
> > 
> > Any such key would have to be considered insecure, no matter how soon you
> > revoke it. So the paranoid people still don't trust it, and the other don't
> > care (probably).
> 
> Can someone explain to me why any such key would have to be considered
> insecure?

If it is accesible by dinstall, it has to be stored on masyer a machine
connected to master. Hack master, and you get the secret key and you can
tamper with it the way you want.

> If we are trusting the admin folks to generate the
> Packages file itself, can't we trust them to sign it properly?

We could. However, we can make it so that we don't need to trust the at all,
only individual developers.

> Is there another avenue that I can't see where this key could be compromised?

It can not be compromised per se. However, it is subject to the same
security as master is, which is much less than it should be (read the pgp
docs to find out how a secret pgp key should be stored and used).

> And by the way, how do the paranoid people do things now?

I don't know. I am not paranoid.

> Do they compile everything from source?

This is one solution.

> The source is the only place I can find a signature at all, and this is
> the path I am currently venturing out on.

yes. However, we already have the signatues on binary packages in the
changes file. We just need to propagate it to our users.

Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to:

Prev by Date: Re: Signing Packages.gz
Next by Date: Re: ATTN: pjw@edmc.net
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread