[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg vendor (Re: Debian derivatives census: hLinux: welcome!)

On Wed, May 06, 2015 at 09:30:32PM +0800, Paul Wise wrote:
> On Wed, May 6, 2015 at 8:46 PM, Patrick Schleizer wrote:
> > "apt-get source package" will show "dpkg-source: warning: failed to
> > verify signature"
> >
> > https://www.whonix.org/wiki/Download#.22apt-get_source_package.22_will_show_.22dpkg-source:_warning:_failed_to_verify_signature.22
> I still think that is a bug that should be filed, apt should be using
> the trusted keyring for verifying source packages, vendor information
> should not be involved at all.

dpkg-source involves vendor information as the dsc files it is checking
the signature for isn't signed by a key known to apt (at least in the
general case), but the currently used key of the uploader of said
package. Debian provides the large debian-keyring package and dpkg is
looking for it to do its bidding (see also dpkg-source manpage), but
that isn't failsafe from an apt perspective: The keys used to sign this
dsc file could be expired in the meantime, the uploader no longer in the
keyring (ressigned DD/DM) or not yet (new DD/DM) or not with this key.

Neither is a problem for 'apt-get source' as it establishes a trustchain
where the repository creator checked the dsc file. It is an additional
check if it can be done and can't hurt (well, it can scare people if one
of the cases mentioned above happens or with this warning), but its also
scaring me to disable such checks with '--no-check' by default as
someone will probably scream at me for doing it when the next security
bug is found. I am a bit undecided at the moment…

Btw: If you happen to have a package similar to debian-keyring
containing the keys of your developers, you could ask dpkg to support
it. The scripts/Dpkg/Vendor/ directory in dpkg sources is pretty sparsly
populated at the moment… (I am not a dpkg dev through, so I can't help
with that, best to ask them).

Oh, and only slightly related: APT has a vendor/ directory as well:

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to: