[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Mon, Mar 27, 2000 at 01:42:47AM +0200, Robert Bihlmeyer wrote:
> There is no need to check all of [the packages]

Well, it'd be nice to be able to do so, to verify that a mirror hasn't
been compromised, but no, you're right.

Actually, now I think about it, the Packages file itself is valuable
information. Consider a Packages file that doesn't actually changes the
.deb's, but changes the netbase entry, say to read:

	Package: netbase
	Depends: vim
	Conflicts: nvi, emacsen

and leaves everything else the same. You can only achieve fairly petty
vadalism with this, but it would still be nice to avoid it, IMO.

> One thing to consider is that this would make the Package.gz file
> noticeably bigger.

Per-package signatures would naturally accompany the package, not the
Packages.gz file.

> > Whose key should be used? Probably a special one just for dinstall,
> > that's kept fairly securely by the Novare and -admin folks, and revoked
> > regularly.
> This key's security value would not be much above that of the debian
> machines themselves.

Speaking about `more secure than the debian machines themselves' is
meaningless. If you can compromise the debian machines themselves,
you're home and hosed. You can do anything and everything. And it's a
*major* *major* change to the way we do *everything* to try to change
that, really.

We may *do* everything in a decentralised, distributed manner, but we're
*still* one organisation. If you can take over `Debian', by definition
you've taken over Debian.

> You'd get about the same security by a mirror of
> master, that is administed by the same people (does this mirror
> exist?).

No, it doesn't. And what would such a mirror actually *do*? Just mirror
master as it gets compromised, and end up compromised itself? Or should
there be three masters which talk to each other and vote on any changes?

(And then, somehow, you need to work out how to avoid people compromising
all three machines in just one heck, by, say, breaking into one of the
personal machines of anyone with root access on all three...)

> Whose key should be used by entry-level signing? I assume that .debs
> are created by an automated process with no user intervention.

Huh? .debs are never created and uploaded without any intervention,
as I understand it. Including ports. They're moved from Incoming to
unstable without interaction, but that's about it.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds

Attachment: pgpj_NoQMTDMF.pgp
Description: PGP signature

Reply to: