Re: Signing Packages.gz

To: Torsten Landschoff <torsten@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 1 Apr 2000 22:48:54 +0200
Message-id: <20000401224854.C1024@ulysses.dhis.net>
In-reply-to: <20000401205235.A15238@wormhole.galaxy>; from torsten@debian.org on Sat, Apr 01, 2000 at 08:52:36PM +0200
References: <20000324124741.F30466@foursquare.net> <874s9u7lnk.fsf@hoss.orcus.priv.at> <20000326090034.E9092@azure.humbug.org.au> <20000326160220.C454@ulysses.dhis.net> <20000327083710.A30185@azure.humbug.org.au> <20000401012403.A4090@ulysses.dhis.net> <20000401121501.A25544@azure.humbug.org.au> <20000401125553.B25544@azure.humbug.org.au> <20000401160020.E309@ulysses.dhis.net> <20000401205235.A15238@wormhole.galaxy>

On Sat, Apr 01, 2000 at 08:52:36PM +0200, Torsten Landschoff wrote:
> On Sat, Apr 01, 2000 at 04:00:20PM +0200, Marcus Brinkmann wrote:
>  
> > It seems you feel personally insulted. I am sorry for this, but
> > unfortunately it doesn't change the situation that the signed packages case
> > adds a further point of weakness to the chain of trust.
> 
> Interesting. So signing Packages.gz will lower the security?

No. Currently there is NO chain of verification (I should not have said
"trust", it's the wrong term. Sorry).

However, it doesn't establish a complete chain of verification from the
developers to the users, au contraire to what you seem to believe.

> > We already use link 1 (signed changes files), and trust it. This won't
> > be changed by either proposal. Yes, even in the signed packages file you
> > trust all developers keys.
> 
> There is a difference between our master server trusting the uploaded changes
> files. master will by definition always have the current keyring. The user
> might not.

Yes, but this doesn't change the point. The problem of out of date keys is a
known problem in any public key cryptosystem.

> Okay - signing Packages will make Debian as secure as master is. Fine.
> We must assume that master is secure otherwise we are doomed anyway. 

Wrong. If you have signed debs, and you are careful when updating the
debian-keyring package, there is no risk even if master is compromised.

> Currently Debian is as secure as the worst maintained mirror.
> 
> > What link 2 asserts instead is that the packages come from master. It solves
> > the mirror problem, but does not solve the master problem.
> 
> So let's fix the mirror problem and let the master problem for later. 

This is the Debian way, right? Fetching the stick at the wrong end first.
(Yes, this is a troll).
 
Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to:

Follow-Ups:
- Re: Signing Packages.gz
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- Re: Signing Packages.gz
  - From: Torsten Landschoff <torsten@debian.org>

References:
- Re: Signing Packages.gz
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Signing Packages.gz
  - From: Torsten Landschoff <torsten@debian.org>

Prev by Date: Pgcc in Deb
Next by Date: Re: Ian Jackson, please get me the hell off your blacklist.
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread