Re: bits from the release team

To: Pierre Habouzit <madcoder@debian.org>
Cc: debian-devel@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: bits from the release team
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Wed, 10 May 2006 11:05:03 +0200
Message-id: <[🔎] 87y7xafdxc.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 200605051856.21976.madcoder@debian.org> (Pierre Habouzit's message of "Fri, 5 May 2006 18:56:21 +0200")
References: <20060502203633.GR9262@mails.so.argh.org> <[🔎] 20060505070425.GB13291@capsaicin.mamane.lu> <[🔎] 87irokv2yo.fsf@mid.deneb.enyo.de> <[🔎] 200605051856.21976.madcoder@debian.org>

Pierre Habouzit <madcoder@debian.org> writes:

> Le Ven 5 Mai 2006 18:41, Florian Weimer a Ã©crit :
>> * Lionel Elie Mamane:
>> > Why can't we have a master key that signs the yearly keys? After
>> > all, we have a long-term unique X.509 master key, so what's the
>> > difference with OpenPGP?
>>
>> End users are typically not exposed to the X.509 keys, which makes
>> things a lot easier.
>>
>> By the way, if you've got a master key, you need to plan for key
>> rollover, too.  Why not apply that procedure directly to the keys
>> used to sign the release files?  A yearly key change just results in
>> unnecessary administrative overhead for our users, without providing
>> any real benefit to them.  A key compromise still needs manual
>> intervention.
>>
>> At the very least, if we have to keep that yearly key change for
>> political reasons, please schedule it in a way that it doesn't happen
>> in January.
>
> Proposal 1:
>
>   a possible way would be to have two valid keys at any time. like one
>   new key per year (or 6 month like you want) with a validity of 2 years
>   (resp. one year).
>
>   that would obviously mean two signatures per package (but I don't
>   think that's that much work) and would require the user to update
>   their "keyring package" only once every year (or 6 month), which looks
>   like a quite reasonnable trade-off. Even stable updates can use that
>   scheme, since it's released more than once a year.

Except that apt-get fails if any of the signatures are unknown or
expired. So you still need both keys and not just one of them as you
intent.

> Proposal 2:
>
>   the package that holds the public signature key has to contain every
>   single emited key, and be signed with any anterior one. Meaning that
>   the upgrade for any user would be smooth.
>
>   I don't think that having a kludge in dpkg that forces the upgrade of
>   that package ASAP would be hard or dangerous to implement, so that
>   even a non aware user could just "apt-get update" without having read
>   the release notes.
>
>   This is simpler, but less secure than the Proposal 1.

Not applicable to non debian repositories or easily exploitable to
work on any package.

> Proposal ...:
>
>   there is a lot of such ideas IMHO, one just has to think 10 minutes to
>   imagine a couple of ones.
>
>
> IMHO, changing the key every year at any date is not problematic at all, 
> because there is plenty of solution to do smooth replacement of the 
> key.

Do you see any drawbacks with my proposal of having Release.key next
to each Releas.gpg or do you have a better idea that will work for
every apt-getable archive?

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: bits from the release team
  - From: Pierre Habouzit <madcoder@debian.org>
- Re: bits from the release team
  - From: Joey Hess <joeyh@debian.org>
- Re: bits from the release team
  - From: Michael Vogt <mvo@debian.org>

References:
- Re: bits from the release team
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Re: bits from the release team
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: bits from the release team
  - From: Pierre Habouzit <madcoder@debian.org>

Prev by Date: multiarch status update
Next by Date: Re: APT key maintainence
Previous by thread: Re: APT key maintainence
Next by thread: Re: bits from the release team
Index(es):
- Date
- Thread