Re: debsigs
On Tue, Mar 26, 2002 at 08:23:34PM -0500, Ben Collins wrote:
> The packages from Debian will have a unique origin sig ID (the key ID).
> The polic will be looked up using this. IOW, it will search the policies
> in:
>
> /etc/debsig/policies/<debian key ID>/*.pol
>
> For policies that can be used to verify the package. If you use a signed
> package from mozilla.org, then their origin key ID will be different, so
> it will look in:
>
> /etc/debsig/policies/<mozilla key ID>/*.pol
>
> So you see, the change is self-handled. Mozilla.org would simply have to
> provide a policy file for you to use.
I understand this much...
> Someone else cannot provide a signed package that passes the Debian
> signature policy. You cannot be forced into accepting package signatures
> of unknown origin. It has to be a voluntary thing.
But what happens if a new version of libc6 is signed by <mozilla key
ID>???
It will pass the Debian signature policy instead of the mozilla
signature policy, but does this make any difference?
Will the combination of apt-get and dpkg blindly install any packages
that have been signed by <mozilla key> even though they are obviously
nothing to do with mozilla? How can it tell?
True - you are already trusting the mozilla maintainers not to mess up
your system in the maintainer scripts, but I have some long term ideas
on how this could be solved too. eg. use of selinux. I don't think
we need to add to the problem here.
> > I have a number of ideas how this could be solved, but would be
> > interested if anybody else has thought about these issues first.
>
> Already solved. Please read all the referenced docs.
I couldn't see anything that addresses this issue. Maybe there
are documents in addition to those in /usr/doc/debsigs/
that I haven't found?
I agree that policy should be set by Debian, because some people won't
want to do this themselves. However, I think a secure policy also needs
the input of the local adminstrators, who know the security requirements
of their local system.
So for instance you can say:
if (packagename equals "mozilla") {
require policy mozilla
} else {
require policy debian
}
So even if you get a libc6 package, and it successfully meets the
critiria for libc6, it will not get installed.
(this example is just to give you the general idea).
--
Brian May <bam@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: