[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal regarding Bruce's proposal.

On Tue, 18 Feb 1997, Ian Jackson wrote:

> Vincent Renardias:
> > Regarding Bruce's proposal of having upstream maintainer signing their 
> > packages, here's a first proposal:
> > It doesn't cover completly the problem, but I think it's a necessary 
> > first step.

> Unfortunately, security protocol design (which is what you are doing)
> is seriously non-trivial.

It's NOT a security protocol. (see below)

> I'm sorry to say that your proposal has serious flaws; for example, it
> makes no provision for checking the integrity of the upstream
> maintainer's public key.

I don't think this is a flaw, since my proposal does not address security 
at all. I just proposed a way to store in a convinient place the name of 
the upstream developper in the source package for practical reasons 
(Looking into /usr/doc/PKG/copyright is not that practical).

By now it will be usefull to maintainers only (see the full proposal text 
for details), and later can be used by the crypto-security stuff.

And even if it's not used by your crypto. system, adding 2 lines of 
comment in a control file can't hurt much.

> I strongly suggest that you leave this kind of thing to someone with
> more experience of such things.  Crypto and security stuff is _very_
> easy to get wrong in a way that's not obvious - after all, if you
> write an ordinary bug in your code users will complain, but noone
> complains about security problems until the horse has bolted.

	You're right, you're the only smart person here.
Sorry, for trying to think on my own. Just submit your proposal, and I'll 
agree bindly. _(;

-     ** Linux **         +-------------------+             ** WAW **     -
-  vincent@debian.org     | RENARDIAS Vincent |          vincent@waw.com  -
-  Debian/GNU Linux       +-------------------+      http://www.waw.com/  -
-  http://www.debian.org/           |            WAW  (33) 4 91 81 21 45  -
-                                   |         Luminy  (33) 4 91 82 85 32  -

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: