Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ

To: debian-devel@lists.debian.org
Subject: Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sun, 21 Mar 1999 22:24:02 +0100
Message-id: <[🔎] 19990321222402.J297@ruhr-uni-bochum.de>
In-reply-to: <[🔎] 19990321022937.E25089@cs.leidenuniv.nl>; from Wichert Akkerman on Sun, Mar 21, 1999 at 02:29:37AM +0100
References: <[🔎] 19990319221656.G217@ruhr-uni-bochum.de> <[🔎] 19990321022937.E25089@cs.leidenuniv.nl>

On Sun, Mar 21, 1999 at 02:29:37AM +0100, Wichert Akkerman wrote:
> Previously Marcus Brinkmann wrote:
> > * Make sure that every *.deb package carries an "Origin:" field! This is so
> >   obvious, and was proposed so many times.
> 
> But nobody did it using the correct procedure on debian-policy. If
> suggest you do that so this becomes official?

Unfortunately, this involves making myself familiar with more dpkg internals
(how those fields are processed etc), and how this origin field can be
established in a verificable way. I hope some people will approach me who
are interested in this, or can help in any way...

> > * Make sure all building tools can use and understand the Origin field.
> >   Make dpkg complain if the origin field is missing or broken. Make sure it
> >   warns if someone tries to install a non-verificable package or a non-Debian
> >   package.
> 
> And there we have a bit of a problem: we would need to have gpg support
> inside dpkg and a method to collect public keys to verify the origin.

Not necessarily. The first test is certainly a simple string comparison.
THis does not give security, but as long as you can trust your source, it
provides a very easy and fast verification. (people who spoof a Debian
origin field should be hung head over on the next tree, of course :)

dpkg would not need gpg support, but an external script (dpkg-verification)
would need to know about gpg/pgp of course. The hard part would be the
public key. It would be cool, but troublesome, to have only one key for all
Debian packages to verify against. Unfortunately, there is no way to keep
this key really safe. At least all administrators of master.debian.org would
need to have access to it, as well as dinstall (or similar).

The secure alternative would be to pass on the key of the Debian developers, which
involves the use of debian-keyring.deb.

Maybe a mix of these suggestions or other could provide alternative levels
of verfification to the user.

> > Comments?
> 
> Excellent stuff. Try making it happen..

I will not forget about it, but don't hold your breath either... I hope Ian
or Klee or some other dpkg developer can keep this in mind, too.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org   finger brinkmd@ 
Marcus Brinkmann              GNU    http://www.gnu.org     master.debian.org
Marcus.Brinkmann@ruhr-uni-bochum.de                        for public  PGP Key
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       PGP Key ID 36E7CD09

Reply to:

Follow-Ups:
- Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
  - From: Wichert Akkerman <wichert@cs.leidenuniv.nl>

References:
- If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
  - From: Wichert Akkerman <wichert@cs.leidenuniv.nl>

Prev by Date: Re: Slink to potato upgrade
Next by Date: Re: more aesthetic /etc/issue
Previous by thread: Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
Next by thread: Re: If Debian wants to grow, let it grow. Or: King James reading Anarchy FAQ
Index(es):
- Date
- Thread