[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Mon, Apr 03, 2000 at 12:02:29PM +0200, Marcus Brinkmann wrote:
> > But they could be, with minimal changes. Stick the latest .changes files
> > in debian/changes somewhere and add some code to apt to get it.
> The changes file would be sufficient, but it is not ideal, because it
> always signs a group of packages. Much better would be to stick the signature inside the deb.

Agreed. But if we want to get anywhere, this seems like an easy way to
start prototyping.

I know I'm coming across a bit as `your way sucks, and you're lame and
stuff' but I don't actually mean it. If we can move this discussion to
actually getting some code done, I'm more than happy.

> > I'd be interested in seeing some code for this. You keep throwing around the
> > word `easy', as though it *is* just as plausible to implement this method.
> > Please, at least write some pseudocode for it.
> before making the ar, run pgp/gpg on a list of md5sums of all files contained
> in the ar. Add this signature to the ar.
> When extracting a deb, verify the md5sums and the signature.

Verify the signature against what, exactly? .../debian-keyring.{pgp,gpg} ? 
What about packages made up by Storm, or Corel, or third parties?

Should any .deb be allowed to happily overwrite the keyring file? [0]

How do you check that the keyring is only updated by James?

I'd particularly like you to make a decision on using James' key or
not. Either way has problems, which we're not going to ever solve if you
just keep changing your mind on whether you have a source-of-all-trust
or not, depending on which works better in a given paragraph.

> > Make sure you consider the necessity of keeping debian-keyring up-to-date
> > in case of compromised keys. Make sure you either explicitly do use a
> > `single key' that's easy to verify, or not. If you do, make sure you allow
> > some way of coping with James' key being updated, or James retiring and
> > someone else taking over the job; and make sure you cope with upgrades
> > that possibly skip the generation where this happens.
> Of course. This all is not different from the dinstall keyring, and should
> be solved in exactly the same ways.

The key itself can be updated (without verifying it) during an apt-get
update. This key can be signed by *all* past dinstall keys. Similarly
for the security key. You check that it's either the same as your
current keys, or that its signed by your current keys, and use it if
so. Reasonably easy.

This doesn't work so well if your source-of-all-trust is James' key:
signatures by his key probably just certify that he's seen your passport,
not that you should be trusted by every Debian user ever. If James quits
the project, he's not going to give us his personal key so we can use it
to sign each of the subsequent dinstall maintainers keys, and he might
not want to be bothered doing this himself, either.

Oh, another problem. What to do about a maintainer's existing packages
when he retires? Presumably his key is pulled from the keyring, but then
how does someone go about installing one of his packages? Do -qa have to
pointlessly go through and recompile all his packages? If they're going
to be putting their name to them, are they going to be comfortable with
just blithely signing packages they don't have time to carefully audit?

> > Marcus: How would dpkg with debian-keyring handle all this?
> Well, the default should be to use the installed debian-keyring.
> This will work well for Debian native packages. Of course, care has to
> be taken when updating it (and this should be done manually, IMHO).

If it has to be done manually, most people will forget to do it. If
they're keyrings aren't uptodate, much of their security goes out
the window.

> > And note that saying `This distribution is Debian' is different to
> > saying `This distribution is made up of stuff put together by Debian
> > maintainers.'  The latter could be put together for a special series of
> > `When Packages Attack!' and include all the best security holes ever
> > distributed by Debian.
> So dinstall (ha!) or lets say the admin team is doing a security check on
> all packages before adding them to the archive and to the Packages file?

No, obviously. But as things turn out, at any one time, Debian doesn't
have all that many (known) security bugs. If you don't have to choose any
/one/ time though, and can select the worst instance of netbase, and the
worst instance of make, and the worst instance of mh, and so on, you can
come up with security holes or grave bugs in a lot of packages. (There
are 166 packages with urgency=high uploads on my system, for example)

> What Debian ships IS "the distribution is made up of stuff put together
> by Debian maintainers."

Yes. But not every collection of stuff put together by Debian maintainers is
something Debian ships.

Mixing up things from experimental and bo and woody would be `made up
of stuff put together by Debian maintainers', but it'd probably be as
buggy and unusable as all get-out, and yet people could burn CDs of
it which you could then verify as being as official as anything else
Debian distributes.

Considering how much effort we put into keeping the distribution
consistent, and getting rid of horrible bugs from stable, that sort of
outcome would really be a little disappointing, to me.

The individuals are the basis and all, but the group's important
too. Think emergent properties, and so on, maybe. (Hi, Jason!)

> And this, I think, is the critical point. The signed debs case integrates well
> with a distributed system like Debian is, where there is no central
> authority to decide what's good and bad. And this is the way Debian should be.

No central authority but James, you mean?

Alternatively, the dinstall key is good, because it doesn't give power to
a person; it gives power to the entire project, who can as a whole decide
how that power will be used.

And if someone, like Corel, or Storm, or whoever wants to take bits from
Debian and add bits themselves, all they have to do is generate a Packages
file, sign it, and make the public key available. This isn't limiting
anyone to What-Debian-says-goes, at all. At least as far as I can see.

> If you are claiming that what Debian ships is something different than what
> the maintainer put together, I shall neglect all responsibility for all my
> packages from now on.

I realise this is a pretty popular rhetorical technique these days,
but really...


[0] If you really wanted to avoid this *without* changing dpkg (you only
    need to change Apt to verify signed Packages files) you could have
    Apt memorize the various keyrings and such, and write them back
    before quitting. postinst's which fork() and sleep for an hour or
    so, could probably get around this though. Hmmm. There's probably
    no real way of doing this, actually.

Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds

Attachment: pgpPy8IdBuSoS.pgp
Description: PGP signature

Reply to: