On Sat, Apr 01, 2000 at 04:00:20PM +0200, Marcus Brinkmann wrote: > It seems you feel personally insulted. I am sorry for this, but > unfortunately it doesn't change the situation that the signed packages case > adds a further point of weakness to the chain of trust. Interesting. So signing Packages.gz will lower the security? I don't see the point. We can quite easily sign our Packages files without much effort and I think it would greatly increase the security of our mirrors. It's not a perfect solution but it is better than our current setup. If you ask me we should do it. ASAP. > We already use link 1 (signed changes files), and trust it. This won't > be changed by either proposal. Yes, even in the signed packages file you > trust all developers keys. There is a difference between our master server trusting the uploaded changes files. master will by definition always have the current keyring. The user might not. > Now link 2. It is currently absent. What you seem to suggest is to add a key > (dinstall-key) here, so the user can verify the archive. This adds a point > of weakness. As the dinstall key can't be used automatically and kept "truly"[1] > secret (it directly depends on the security of master), this weakness is rather > huge. This problem is avoided if the link 1 is propagated to the users: Okay - signing Packages will make Debian as secure as master is. Fine. We must assume that master is secure otherwise we are doomed anyway. Currently Debian is as secure as the worst maintained mirror. > What link 2 asserts instead is that the packages come from master. It solves > the mirror problem, but does not solve the master problem. So let's fix the mirror problem and let the master problem for later. > I don't object to a signed Packages file, but it is important to see which > problem it solves and which it doesn't solve. Also it is important to > realize that the secret key automatically used by dinstall can not be stored > in a highly secure way. I would say that the proposal that Jason made sounds good. Have a low-security key on master which is used to automatically sign the Packages (of course you would need to breach the account dinstall is running with or become root to read that private key). Then let our security team sign the stable releases. That keys are kept private on their machines. Thanks Torsten -- Torsten Landschoff Bluehorn@IRC <torsten@debian.org> Debian Developer and Quality Assurance Committee Member
Attachment:
pgpTLZ9f6kFhv.pgp
Description: PGP signature