Re: Signing Packages.gz
- To: Torsten Landschoff <torsten@debian.org>
- Cc: debian-devel@lists.debian.org
- Subject: Re: Signing Packages.gz
- From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Date: Sat, 1 Apr 2000 22:48:54 +0200
- Message-id: <20000401224854.C1024@ulysses.dhis.net>
- In-reply-to: <20000401205235.A15238@wormhole.galaxy>; from torsten@debian.org on Sat, Apr 01, 2000 at 08:52:36PM +0200
- References: <20000324124741.F30466@foursquare.net> <874s9u7lnk.fsf@hoss.orcus.priv.at> <20000326090034.E9092@azure.humbug.org.au> <20000326160220.C454@ulysses.dhis.net> <20000327083710.A30185@azure.humbug.org.au> <20000401012403.A4090@ulysses.dhis.net> <20000401121501.A25544@azure.humbug.org.au> <20000401125553.B25544@azure.humbug.org.au> <20000401160020.E309@ulysses.dhis.net> <20000401205235.A15238@wormhole.galaxy>
On Sat, Apr 01, 2000 at 08:52:36PM +0200, Torsten Landschoff wrote:
> On Sat, Apr 01, 2000 at 04:00:20PM +0200, Marcus Brinkmann wrote:
>
> > It seems you feel personally insulted. I am sorry for this, but
> > unfortunately it doesn't change the situation that the signed packages case
> > adds a further point of weakness to the chain of trust.
>
> Interesting. So signing Packages.gz will lower the security?
No. Currently there is NO chain of verification (I should not have said
"trust", it's the wrong term. Sorry).
However, it doesn't establish a complete chain of verification from the
developers to the users, au contraire to what you seem to believe.
> > We already use link 1 (signed changes files), and trust it. This won't
> > be changed by either proposal. Yes, even in the signed packages file you
> > trust all developers keys.
>
> There is a difference between our master server trusting the uploaded changes
> files. master will by definition always have the current keyring. The user
> might not.
Yes, but this doesn't change the point. The problem of out of date keys is a
known problem in any public key cryptosystem.
> Okay - signing Packages will make Debian as secure as master is. Fine.
> We must assume that master is secure otherwise we are doomed anyway.
Wrong. If you have signed debs, and you are careful when updating the
debian-keyring package, there is no risk even if master is compromised.
> Currently Debian is as secure as the worst maintained mirror.
>
> > What link 2 asserts instead is that the packages come from master. It solves
> > the mirror problem, but does not solve the master problem.
>
> So let's fix the mirror problem and let the master problem for later.
This is the Debian way, right? Fetching the stick at the wrong end first.
(Yes, this is a troll).
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, marcus@gnu.org PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ brinkmd@debian.org
Reply to: