On Thu, Nov 24, 2005 at 07:47:58PM +0100, Goswin von Brederlow wrote: > Anthony Towns <aj@azure.humbug.org.au> writes: > > On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote: > >> Use 1: I have this deb in my apt-move mirror and I want to know if it > >> was compromised on yesterdays breakin > >> Boot a clean system with debian keyring and check all deb > >> signatures. > > Find some don't pass because they were signed with keys that have been > > removed from the keyring. > Those I remove and refetch from a clean source again. False negatives > are no big deal. 99% of the debs will verify leaving only a > managable amount of wokr behind. The "clean" source that's signed by the same key that you can't verify? > >> Use 3: The debian servers were compromised and the security team takes > >> too long to check the archive for my taste > >> Being a normal user I obviously have no mail archive of all the > >> old changes files laying around so that road is closed. But everyone > >> has a Debian stable CD with keyring. See Use 1. > > And see why it doesn't work. Not to mention keys added since stable > > released, and packages uploaded by those maintainers. > > More than just keys removed from the keyring, there's the issue of keys > > being compromised -- it's not even unknown for developers to post secret > > keys to mailing lists -- the issue that a package that's once been in the > Compromised keys are compromised keys. Compromised keys are not, however, compromised debs. > Ah, I see the light. > Signatures are useless because packages have no signatures. That's a transitional problem, yes. In this case it's a severe one; since there are up to 150GBs worth of .debs. It's a problem that could be solved if it were worthwhile, but it's not worthwhile since .changes already do everything deb sigs could do without any transition issues, and it's not something that can be simply ignored. Cheers, aj
Attachment:
signature.asc
Description: Digital signature