On Mon, Apr 03, 2000 at 01:44:38PM +0200, Marcus Brinkmann wrote:
> > Debian *can* make this decision, because we know each other. Most users
> > can only go `James who?'.
> This is easily identified as a play with names. Who is this "Debian" person
> you refer to anyway? After all, behind every action is a developer.
Debian's not a person, obviously. It's a collection of things, including
master, dinstall, the web sites, the mirror network, policy, the BTS, the
developers, even some of the tools, and probably more that I've missed. Hell,
it's probably even an attitude, albeit most likely a bad one... ;)
Let me put it another way. You could keep maintaining your packages, keep
fixing bugs, adding features, keep using .debs, keep following policy,
keep using dpkg and debhelper, and just accidently forget not to upload
them to master, ever. Are you still contributing to Debian? I'd say
you're not, although you're still obviously participating in the whole
free software thing.
Similarly, there's nothing *wrong* with take the worst of Debian's
history, until you start claiming that it *is* Debian, and using people's
trust in Debian (oh, yeah, it's a secure uptodate OS, I update every day,
it's great!) to crack into their systems.
> > And if he's already compromised your local mirror, and decides that no
> > one needs an updated debian-keyring, or any of those irritating bugfree
> > packages?
> This is free software after all. You can already make a mirror that only
> carries out of date packages. What sort of an attack is that supposed to be?
Sure, they *can* do it, but by claiming it's Debian, they're
misrepresenting us. Signing things is a way to get around people
misrepresenting you. If one way of signing things still lets people
misrepresent you, you're not doing as good a job as you might.
> > To reiterate: signed .debs don't cope with any of the following attacks:
> > * Past/current developers doing nefarious things, especially if
> > they also manage to compromise your local link in the distribution
> > network.
> I still disagree (the details are spread over several mails of course).
This is probably a special instance of misrepresenting Debian. ie, where
one person can effectively pretend to a large group of people that what
he says is what Debian says, even though the rest of Debian disagrees.
(Do you disagree that `the Debian distribution' is what passes through
master? Do you disagree that a mirror having a pub/debian directory claims
that the contents of that directory are `the Debian distribution', more
or less?)
> > * Vandalism against Packages files
> Can you explain this attack to us?
It's in another mail somewhere. Basically, take all your signed .debs and
leave them be. Get the unsigned Packages file, and change some of the
dependencies, or maybe the descriptions. Not the md5sums, though. Make
netbase look like:
Package: netbase
Depends: vim
Conflicts: emacsen, nvi, elvis, elvis-tiny, jed, joe, nano
for example. Voila, people trying to use apt or dselect to upgrade have
to use vim as their editor, or somehow correct the mess by hand.
> > * Maliciously distributing the worst possible selection of valid
> > packages
> See above. Seems to be a "Free Software" attack to me.
Heh. Yeah, you could call it that. :)
``Signing Packages.gz avoids the so-called `free software' attack.''
Has a certain ring to it.
> You are attempting to abuse the public key (PGP) protocol to verify a group
> as the ownership of something. This can't work, because it was not designed
> to cope with such a situation.
Of course it can. The only way public keys and PGP can be used directly
to do this is if the group is represented by exactly one of its members,
or by one of some subset of its members (who have a copy of the key). You
can have other models though (the key must have three signatures from the
ten Cabal members listed here: ...) or through more advance cryptographic
techniques (multiparty computation? secret splitting?).
> (Of course, you *can* have a key that is accessable to several people, for
> example for organizations, as Microsoft. However, those people have to
> share the location, and thus act like one abstract individual. That the
> same can't be true for Debian is obvious: We don't have a headquarter).
What difference does location actually make though? PGP doesn't depend on
GPS coordinates, or anything.
> PS: I would like to meet this Debian person, he must be
> terrible shizophrene. ;)
Yeah, just look at his diary sometime (the guy's such an egomaniac: you
can even *subscribe* to them, sheesh! and prolific? why, that's not half
of it!). Why, he even gets his identities confused sometimes, and makes
them switch viewpoints! Schitzophrenic, I could understand, but he can't
even keep that straight. Nutcase. Pretty damn good programmer, though...
Cheers,
aj, nothing more than a figment of the Collective's imagination since 1998
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.
``The thing is: trying to be too generic is EVIL. It's stupid, it
results in slower code, and it results in more bugs.''
-- Linus Torvalds
Attachment:
pgpBlGDqCW2vq.pgp
Description: PGP signature