Re: Official Debian digital 'branding' of debs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My $0.02 ...
Split the problem into two pieces, as Manoj suggested:
1: debs are signed by their developers. The signature needs to be inside the
.deb file, not in an external list or Packages or changes file (an extra
foo.sig member of the ar archive for each current member makes sense to
me). The .deb you install might have come off an official CD, been
downloaded from a mirror, or copied third hand off a floppy that your
cousin's fishing buddy's plumber found under a dumpster in a dark alley one
evening.. all with identical validity. End-to-end authentication, not
link-to-link.
2: The .deb is "official" if it is signed by the key of a current developer in
good standing. Determining *that* is left as a (contentious) exercise for
the reader. (but note that it is much more of a policy thing than a
technical thing).
Some observations, though: having a master key sign all the developers keys
is bad; it doesn't scale and is hard to revoke. Besides, signature on keys
should mean faith in the name-key binding, not faith in the name-being-a-
current-debian-developer binding. Having all the "official" keys in a
single keyring (which is authenticated or blessed through some other
mechanism) might work, GPG lets you specify arbitrary sets of keyrings, you
could use only /usr/share/keyrings/debian-keyring.gpg while verifying a
.deb. Perhaps that keyring ought to be signed by the "master" key, with a
detached signature that is a part of the debian-keyring package. Whenever a
new version is produced it is the Leader's responsibility to review the
list of keys against the list of developers and then decide to sign the
keyring (assuming the Project Leader is the holder of the "master" key). A
separate tool, included with the keyring package, could be run periodically
to a: verify the signature on the keyring, and b: check www.debian.org to
see if the master key has changed, asking the user to verify the change and
do something to update the checking-key if so. Ok, probably in the opposite
order.
This implies that the developer of the debian-keyring package must be a
previously-valid developer. A brand new developer taking over that job
(starting with the version that included their own key) would break the
trust chain.
Also, I'm afraid that I see autobuilders fundamentally at odds with signed
packages. The only person who can take responsibility for the contents of a
.deb is the developer, and if they aren't there while the package is being
compiled then they can't honestly take responsibility for what goes into it.
We could have an autobuilder signature (with all the accompanying key
compromise risks), but it would have far less meaning than a human claiming
that they had reviewed the package and believed it to be free of tampering.
Just wanted to throw that into the discussion..
-Brian [not yet a developer, feel free to ignore me]
warner@lothar.com
(wondering why all his .debs smell of stale pizza..)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.7 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE3cy54kDmgv9E5zEwRAmCDAKDJNWt69JBHUmewxFyf6DDjayhY5ACeK8h/
0IzzMpmQAARO9C3lOwILh6U=
=3eMd
-----END PGP SIGNATURE-----
Reply to: