Re: .deb integrity check
On Thu, Jun 10, 1999 at 02:27:40AM -0700, Joey Hess wrote:
> - If a third party (non-developer) wants to make a CD with a subset of the
> packages in Debian, they have to make a custom Packages file for it. So
> they can't use the signed Packages file. Since they arn't on the keyring,
> they can't usefully sign the new file. Compare with individually signed
> packages where they could copy in any set of packages and users could
> check their signatures.
>
> > 1. What happens in the case a package is signed by someone who is not
> > the maintainer? Would this be allowed?
>
> Signature checking could (probably should) be an option. If the package is
> signed by someone not in your keyring, dpkg would continue as normal unless
> you had told it to only accept known keys. At least, that's how rpm does it..
IMHO, Individual packages should be signed (or md5sums, whatever) by the
maintainer. The maintainer should include their public key with the package,
and that public key should be signed by an official Debian key. Thus
verifying that the key is in fact authentic. Dpkg shouldn't deal with
authentication, rather apt, or dselect (urg!) - the transport - should check -
because it's at this point that most packages are downloaded without knowing
their authenticity.
Have a keyring somewhere with the Debian key on it, and allow sysadmins to add
trusted keys, which work in the same manner.
How apt/other deals with keys without sig's should be up to the sysadmin to
define - perhaps on a per repository basis.
- Rob.
--
------------------------------------
Robert Thomson -- Just call me Sir -=| UNIX is user friendly. |=-
c9805651@alinga.newcastle.edu.au -=| It's just selective about |=-
I prefer GNU/Linux -=| who its friends are. |=-
------------------------------------
Reply to: