[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

Hash: SHA1

My $0.02 ...

Split the problem into two pieces, as Manoj suggested:

1: debs are signed by their developers. The signature needs to be inside the
   .deb file, not in an external list or Packages or changes file (an extra
   foo.sig member of the ar archive for each current member makes sense to
   me). The .deb you install might have come off an official CD, been
   downloaded from a mirror, or copied third hand off a floppy that your
   cousin's fishing buddy's plumber found under a dumpster in a dark alley one
   evening.. all with identical validity. End-to-end authentication, not

2: The .deb is "official" if it is signed by the key of a current developer in
   good standing. Determining *that* is left as a (contentious) exercise for
   the reader. (but note that it is much more of a policy thing than a
   technical thing).

   Some observations, though: having a master key sign all the developers keys
   is bad; it doesn't scale and is hard to revoke. Besides, signature on keys
   should mean faith in the name-key binding, not faith in the name-being-a-
   current-debian-developer binding. Having all the "official" keys in a
   single keyring (which is authenticated or blessed through some other
   mechanism) might work, GPG lets you specify arbitrary sets of keyrings, you
   could use only /usr/share/keyrings/debian-keyring.gpg while verifying a
   .deb. Perhaps that keyring ought to be signed by the "master" key, with a
   detached signature that is a part of the debian-keyring package. Whenever a
   new version is produced it is the Leader's responsibility to review the
   list of keys against the list of developers and then decide to sign the
   keyring (assuming the Project Leader is the holder of the "master" key). A
   separate tool, included with the keyring package, could be run periodically
   to a: verify the signature on the keyring, and b: check www.debian.org to
   see if the master key has changed, asking the user to verify the change and
   do something to update the checking-key if so. Ok, probably in the opposite

   This implies that the developer of the debian-keyring package must be a
   previously-valid developer. A brand new developer taking over that job
   (starting with the version that included their own key) would break the
   trust chain.

Also, I'm afraid that I see autobuilders fundamentally at odds with signed
packages. The only person who can take responsibility for the contents of a
.deb is the developer, and if they aren't there while the package is being
compiled then they can't honestly take responsibility for what goes into it.
We could have an autobuilder signature (with all the accompanying key
compromise risks), but it would have far less meaning than a human claiming
that they had reviewed the package and believed it to be free of tampering.

Just wanted to throw that into the discussion..

 -Brian  [not yet a developer, feel free to ignore me]

     (wondering why all his .debs smell of stale pizza..)

Version: GnuPG v0.9.7 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: