Re: Bits from the CD team: plans for debian-cd v3.0
Charles Steinkuehler <email@example.com> writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Steve McIntyre wrote:
> | On Fri, Jul 15, 2005 at 10:41:22AM +1200, Philip Charles wrote:
> |>On Thu, 14 Jul 2005, Steve McIntyre wrote:
> |>> Yes, this is a thorny area. I'm a little concerned - if we've gone to
> |>> all the effort of adding signatures to the main archive, then it does
> |>> seem to be ducking the problem to just trust all CDs. Allowing CDDs
> |>> and redistributors to add new signatures as well should boost the
> |>> security of the whole chain to the end user, too.
> |>> Maybe I'm being paranoid, but it wouldn't be too hard to get a lot of
> |>> users to to blindly install bad packages (e.g. from a trojanned cover
> |>> disc).
> |>There was a similar argument some years back. On one side there was
> |>customizable CDs, the other a rock solid security chain. What emerged
> |>from the discussion was that a suprising number of people produced their
> |>own disc sets for a variety of reasons. So customisable disc sets won
> |>out. I would imagine that this would still be the situation today.
> | People were a little less worried about security then, and the normal
> | Debian base system did not support the security stuff we now have. I'd
> | be curious to see if the balance of opinion has shifted the other way
> | by now.
> Um...maybe I'm dense, but everyone seems to be talking like there would only
> be one trusted key (apparently compiled into apt) which is what makes custom
> CDs a problem.
> What's wrong with having a configurable set of trusted keys? Then users
> could choose to trust official debian CDs/packages, stuff from their
> favorite back-ports webiste, or whatever.
Actualy I would suggest creating a 'Release.key' file for every
Release.gpg that contains the current gpg key and possibly revocation
certivicates for compromised keys.
When a new key is found in Release.key by apt-get update the
signatures of the key should be verified and shown and the user
prompted if he trusts the key (or the key just gets accepted if it has
enough trusted signatures).
There could also be a simple script to make a CD secure again after
customizing it, e.g. debian-cd-sign [<key id>] that creates the
Release.gpg and Release.key files.