[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz



On Sat, Apr 01, 2000 at 10:48:54PM +0200, Marcus Brinkmann wrote:
 
> No. Currently there is NO chain of verification (I should not have said
> "trust", it's the wrong term. Sorry).

So you agree that it would be an improvement?

> However, it doesn't establish a complete chain of verification from the
> developers to the users, au contraire to what you seem to believe.

Please don't tell me what I believe. I know that the solution is not perfect.
But it's way better then what we have now. 

> > > We already use link 1 (signed changes files), and trust it. This won't
> > > be changed by either proposal. Yes, even in the signed packages file you
> > > trust all developers keys.
> > 
> > There is a difference between our master server trusting the uploaded
> > changes files. master will by definition always have the current keyring.
> > The user might not.
> 
> Yes, but this doesn't change the point. The problem of out of date keys is a
> known problem in any public key cryptosystem.

That it is a known problem does not change anything. It still IS a problem.
While a developer might leave the project or even get thrown out the single
dinstall key would by definition last until either Debian dies (hopefully
this will not happen during my lifetime) or the key is compromised. In the
latter case you can expect that all Linux news services will pick up it 
very soon.

> > Okay - signing Packages will make Debian as secure as master is. Fine.
> > We must assume that master is secure otherwise we are doomed anyway. 
> 
> Wrong. If you have signed debs, and you are careful when updating the
> debian-keyring package, there is no risk even if master is compromised.

I made two points. Which is wrong? I don't think my first point is wrong.
Signing packages will make Debian as secure as master is.

The second point might or might not be wrong. Currently what happens if
master is cracked? Right, we have a BIG problem. With the signed Packages
file we still have a problem in that and only that case.

But under the current setup we also have problem if our mirrors are cracked.
It might even be possible to crack a few push primary mirrors and everybody
will get a compromised Debian. We have to avoid this.

> This is the Debian way, right? Fetching the stick at the wrong end first.
> (Yes, this is a troll).

No. The Debian problem is searching the optimal solution for too long and
doing nothing in the meantime. We still have no perfect solution to improve
our release cycles. So we did nothing. potato is not perfect so we don't 
release it.

I wonder why you are working for the Hurd project then? You can't even
run X11 Servers on the Hurd so why bother about it? The Linux kernel did 
not much when it was first released - but it did something. And you can
improve it.

What I have to admit is that I tend to make the same mistake. Remember, I
wanted to fix GTK+ for the Hurd to not rely on MAXPATHLEN. There is an 
easy work around to make it work but I wanted to essentially rewrite the
file selector. 

I still did not have the time to finish that while having a working (okay, 
working most of the time, it might fail with paths >4k) solution now would
be better I think.

Please stop retarding the efforts of other people because you think it is
not perfect. Get on with your work and let Anthony and Jason implement 
the signed Packages.gz.

Thanks

    Torsten

PS: Did I say I will leave the project if we don't implement the signed
Packages.gz? ;-))

-- 
Torsten Landschoff           Bluehorn@IRC               <torsten@debian.org>
           Debian Developer and Quality Assurance Committee Member

Attachment: pgpdqfmtiszkb.pgp
Description: PGP signature


Reply to: