[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sat, 1 Apr 2000, Marcus Brinkmann wrote:

> We already use link 1 (signed changes files), and trust it. This won't
> be changed by either proposal. Yes, even in the signed packages file you
> trust all developers keys.

We only trust link1 due to the vigilance of our FTP masters and people
reading -changes lists to make sure that, say, glibc is not uploaded by
someone other than Joel. That is a critical part of the trust in that
> Now link 2. It is currently absent. What you seem to suggest is to add a key
> (dinstall-key) here, so the user can verify the archive. This adds a point
> of weakness. As the dinstall key can't be used automatically and kept "truly"[1]

How about this, if someone was able to hack master to the point of being
able to get the dinstall key, I assure you they would be able to hack
some]weak developer machine and lift their key too. I also assert that the
chance of a hacker getting the security key is lower than say 50% of the
keys in our keyring. 

Furthermore it is comparitively easy to revoke a dinstall key - much
harder to detect and revoke individual keys.

> What link 2 asserts instead is that the packages come from master. It solves
> the mirror problem, but does not solve the master problem.

The master problem cannot be solved in an automatic fashion, it will
always require skilled intervention by a human.


Reply to: