[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

On Tue, Mar 26, 2002 at 08:23:34PM -0500, Ben Collins wrote:
> The packages from Debian will have a unique origin sig ID (the key ID).
> The polic will be looked up using this. IOW, it will search the policies
> in:
> 
> 	/etc/debsig/policies/<debian key ID>/*.pol
> 
> For policies that can be used to verify the package. If you use a signed
> package from mozilla.org, then their origin key ID will be different, so
> it will look in:
> 
> 	/etc/debsig/policies/<mozilla key ID>/*.pol
> 
> So you see, the change is self-handled. Mozilla.org would simply have to
> provide a policy file for you to use.

I understand this much...

> Someone else cannot provide a signed package that passes the Debian
> signature policy. You cannot be forced into accepting package signatures
> of unknown origin. It has to be a voluntary thing.

But what happens if a new version of libc6 is signed by <mozilla key
ID>???

It will pass the Debian signature policy instead of the mozilla
signature policy, but does this make any difference?

Will the combination of apt-get and dpkg blindly install any packages
that have been signed by <mozilla key> even though they are obviously
nothing to do with mozilla? How can it tell?

True - you are already trusting the mozilla maintainers not to mess up
your system in the maintainer scripts, but I have some long term ideas
on how this could be solved too. eg. use of selinux. I don't think
we need to add to the problem here.

> > I have a number of ideas how this could be solved, but would be
> > interested if anybody else has thought about these issues first.
> 
> Already solved. Please read all the referenced docs.

I couldn't see anything that addresses this issue. Maybe there
are documents in addition to those in /usr/doc/debsigs/
that I haven't found?

I agree that policy should be set by Debian, because some people won't
want to do this themselves. However, I think a secure policy also needs
the input of the local adminstrators, who know the security requirements
of their local system.

So for instance you can say:

if (packagename equals "mozilla") {
  require policy mozilla
} else {
  require policy debian
}

So even if you get a libc6 package, and it successfully meets the
critiria for libc6, it will not get installed.

(this example is just to give you the general idea).
-- 
Brian May <bam@debian.org>


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: