Re: Official Debian digital 'branding' of debs
On Sun, 20 Jun 1999 Manoj Srivastava wrote:
> Having a single key does indeed create a single point of
> failure, but this is a known fact, and we can expend significant
> effort to maintain the integrity of the single key (never put on a
> networked computer, only used for signing the debian keyring, etc).
Is GPG stable enough for using it ? I think that signing binary packages should
get into the policy (anybody knows something about the discussions on
debian-policy concerning that ?).
> If we have a single key, and it is ever compromised, it shall
> be major news, and people whould be informed of the compromise a lot
> easier. We then just distribute the new key, which maybe signed by a
> number of developers (lotsa phone calls to get that done).
There would be work to do, but I do not think that it could compromise the
whole security system. Maybe apt could check for the "one and only" public key
before downloading new packages from the official distribution. When there is
no key (it has been removed because it has been compromised), than simply do
not download new packages since there is a new key.
There is still the problem of checking if the key is there. How could we
prevent tampering with the check mechanism ? Maybe the downloaded "official"
public key must be signed by at least 10 developers, whose keys are in
the debian-keyring package.
Rene
--
------------------------------------------------------------------------------
Rene Mayrhofer, ViaNova KEG NIC-HDL: RM1677-RIPE
Email: rmayr@vianova.at Snail: Penz 217, A-4441 Behamberg
PGP(DSS): E661 2E45 9B7F B239 D422 0A90 A4C2 DA09 F72F 6EC5
PGP(D/H): B77F 51A8 B046 87A6 4D61 2C5D 742F F433 6732 E4DC
PGP(RSA): 5D D4 FD A6 CE AF 4B 82 67 7F 59 89 58 CA 61 0D
GPG: 5E50 BDA0 E0B7 75A7 08AA 1123 0A4C 9474 CAA2 658B
------------------------------------------------------------------------------
Reply to: