Re: Signing Packages.gz

To: Jason Gunthorpe <jgg@ualberta.ca>
Cc: Torsten Landschoff <torsten@debian.org>, debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sun, 2 Apr 2000 14:36:26 +0200
Message-id: <20000402143626.C301@ulysses.dhis.net>
In-reply-to: <Pine.LNX.3.96.1000401151000.458J-100000@wakko.deltatee.com>; from jgg@ualberta.ca on Sat, Apr 01, 2000 at 03:16:23PM -0700
References: <20000401224854.C1024@ulysses.dhis.net> <Pine.LNX.3.96.1000401151000.458J-100000@wakko.deltatee.com>

On Sat, Apr 01, 2000 at 03:16:23PM -0700, Jason Gunthorpe wrote:
> 
> On Sat, 1 Apr 2000, Marcus Brinkmann wrote:
> 
> > Wrong. If you have signed debs, and you are careful when updating the
> > debian-keyring package, there is no risk even if master is compromised.
> 
> Hahha!
> 
> Sorry, your are deluded if you belive this :> Seriously, if someone can
> hack master we are all vunerable - how many people out there do you think
> use the same password on master as on their home boxes? How many people
> foward ssh agents and put that key in their home .ssh/authorized_keys? How
> many people have foolishly left their pgp key on master?
> 
> Hint: Lots to all of the above [except the last, we purged a bunch of
> people for that awhile ago].

Ok, I was only looking at master as the ftp archive. I am happy that the the
last is not true anymore. BTW, those people should be forced to use a new
key to sign Debian packages.

The SSL problems I don't know about.
 
> If master is compromized right now, we would take the d-changes archive
> from a more secure machine [which we may not even have, hence the interest
> in storing that in the archive], a slink cd, some potato CDs developers
> might have, etc, and begin painstakingly verfiying each and every .deb and
> .dsc to make sure it comes from where it was supposed to come from - there
> is no automated way to do this and only people like James would actually
> know who should be singing what packages. 

Yes, this is exactly my point. What would you do when you have signed
Packages file and master is compromised? The attacker could replace some
packages and create a new signed Packages file, just as dinstall does, and
you had no way to find out after the mirrors catched up.

In the signed deb case, you can easily verify all packages individually.
(thanks for proving my point).

Thanks,
Marcus


-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to:

References:
- Re: Signing Packages.gz
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Signing Packages.gz
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Re: Signing Packages.gz
Next by Date: Re: Signing Packages.gz
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread