[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Mon, Apr 03, 2000 at 01:36:01PM +1000, Anthony Towns wrote:
> Debian *can* make this decision, because we know each other. Most users
> can only go `James who?'.

This is easily identified as a play with names. Who is this "Debian" person
you refer to anyway? After all, behind every action is a developer.

> And if he's already compromised your local mirror, and decides that no
> one needs an updated debian-keyring, or any of those irritating bugfree
> packages?

This is free software after all. You can already make a mirror that only
carries out of date packages. What sort of an attack is that supposed to be?

> To reiterate: signed .debs don't cope with any of the following attacks:
> 	* Past/current developers doing nefarious things, especially if
> 	  they also manage to compromise your local link in the distribution	
> 	  network.

I still disagree (the details are spread over several mails of course).

> 	* Vandalism against Packages files

Can you explain this attack to us?

> 	* Maliciously distributing the worst possible selection of valid
> 	  packages

See above. Seems to be a "Free Software" attack to me.
Maybe you should file a bug report against the GPL.
(You didn't laugh? Sorry, but it was supposed to be funny :)

> These attacks are all based on the fact that sometimes it's Debian as a whole
> acting in concert that you trust, not any and all particular developers.

A Debian as a whole does not exist. There exists an abstract incorporation,
but that's it. The rest is a bunch of developers. I don't see the difference
in trusting the key of James or some other Debian admin. I see a difference
between a personal key and a key which is lying around on some net-connected

You are attempting to abuse the public key (PGP) protocol to verify a group
as the ownership of something. This can't work, because it was not designed
to cope with such a situation. You would need to use an entirely different
cryptoprotocol to solve this. All problems I see (and you keep to sweep under
the table) are a direct result from this.

Instead, with signed debs, the PGP protocol is used exactly for what it was
designed: A signature from an individual, not from a group.

(Of course, you *can* have a key that is accessable to several people, for
example for organizations, as Microsoft. However, those people have to
share the location, and thus act like one abstract individual. That the
same can't be true for Debian is obvious: We don't have a headquarter).

One note: Of course this is not the case if the Packages file is signed
locally by an indivual. But in this case, the analogy to the debian-keyring
key is complete (only the technical details are different, and individual
 debs can't be checkd of course. )

> Mmm? One per .deb, YM? That's somewhere around 40 or 50 for each X upload.
> (each .deb has to be signed separately, no matter which way you do it)

There are solutions to this. (Read the pgp/gpg manuals). You can pass the
phrase from other programs or the environment.

As a side note, realize that the secret dinstall key can't be protected 
efficiently by a passphrase, because the phrase itself had to be stored
and readable by dinstall.

> Securing the way Debian distributes its software is a *long* way from
> making it impossible for an attacker to compromise huge numbers of
> Debian boxen.

And is of course an orthogonal issue.


PS: I would like to meet this Debian person, he must be
terrible shizophrene. ;)

Reply to: