[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg vendor (Re: Debian derivatives census: hLinux: welcome!)

Hi!

On Thu, 2015-05-07 at 13:19:35 +0200, David Kalnischkies wrote:
> On Wed, May 06, 2015 at 09:30:32PM +0800, Paul Wise wrote:
> > On Wed, May 6, 2015 at 8:46 PM, Patrick Schleizer wrote:
> > 
> > > "apt-get source package" will show "dpkg-source: warning: failed to
> > > verify signature"
> > >
> > > https://www.whonix.org/wiki/Download#.22apt-get_source_package.22_will_show_.22dpkg-source:_warning:_failed_to_verify_signature.22
> > 
> > I still think that is a bug that should be filed, apt should be using
> > the trusted keyring for verifying source packages, vendor information
> > should not be involved at all.
> 
> dpkg-source involves vendor information as the dsc files it is checking
> the signature for isn't signed by a key known to apt (at least in the
> general case), but the currently used key of the uploader of said
> package. Debian provides the large debian-keyring package and dpkg is
> looking for it to do its bidding (see also dpkg-source manpage), but
> that isn't failsafe from an apt perspective: The keys used to sign this
> dsc file could be expired in the meantime, the uploader no longer in the
> keyring (ressigned DD/DM) or not yet (new DD/DM) or not with this key.
> 
> Neither is a problem for 'apt-get source' as it establishes a trustchain
> where the repository creator checked the dsc file. It is an additional
> check if it can be done and can't hurt (well, it can scare people if one
> of the cases mentioned above happens or with this warning), but its also
> scaring me to disable such checks with '--no-check' by default as
> someone will probably scream at me for doing it when the next security
> bug is found. I am a bit undecided at the moment…

I think having a check that might fail in many situations is way worse
than not having that check at all. Because it either trains users to
ignore the warning, or unnecessarily triggers many alarms.

I think a good compromise would be to tell dpkg-source to check
signatures *iff* the repository is not signed.

> Btw: If you happen to have a package similar to debian-keyring
> containing the keys of your developers, you could ask dpkg to support
> it. The scripts/Dpkg/Vendor/ directory in dpkg sources is pretty sparsly
> populated at the moment… (I am not a dpkg dev through, so I can't help
> with that, best to ask them).

If the new module is to be added just for the keyring, I'd rather add
generic support. For example to always try to load something like
«/usr/share/keyrings/vendor-keyring.gpg» (or perhaps
«/usr/share/keyrings/vendor-archive-keyring.gpg») if available.

Thanks,
Guillem
Reply to: