Re: Packages and signatures

To: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
Cc: Klaus Reimer <kay@debian.org>, debian-devel@lists.debian.org
Subject: Re: Packages and signatures
From: Nicolás Lichtmaier <nick@debian.org>
Date: Sat, 20 Jan 2001 12:19:26 -0300
Message-id: <[🔎] 20010120121925.A386@debian.org>
In-reply-to: <[🔎] 87lms7x637.fsf@mose.informatik.uni-tuebingen.de>; from goswin.brederlow@student.uni-tuebingen.de on Fri, Jan 19, 2001 at 10:07:56AM +0100
References: <[🔎] 01011819481401.00676@neo> <[🔎] 87itnc1q9f.fsf@mose.informatik.uni-tuebingen.de> <[🔎] 20010118234810.C1214@debian.org> <[🔎] 87lms7x637.fsf@mose.informatik.uni-tuebingen.de>

>     >> The problem with signing packages is that you can't trust a
>     >> computer to do it for obvious reasons (like
>     >> building/installation of packages being done as root).
> 
>      >  That's nonsense. Security important points in a process aren't
>      > created by adding a signature there. A key automatically used
>      > by ftp-master.debian.org would be as secure as the process of
>      > building packages in that machine is now, not more secure, not
>      > less secure.  Again with different words: A key used by
>      > "dinstall" (or whatever its name is now) will have the same
>      > degree of security/trust that packages that are now built with
>      > it.
> 
>      >  It's sad that this misconception has prevented Debian from
>      > using signed packages for so long.
> 
> The point is that it would give no extra security atop of the trust
> you can have in the autobuilders anyway.

 No extra trust? I will be able to say: "Yes, this package has came from the
autobuilder, or somebody has got root on the autobuilder, but if someone
did, all Debian is compromised and signatures are the least of our worries".

 It protects me from mirrors, from man in the middle attacks. I could
download a Debian package from the homepage of some unknown guy...

> In fact, it would give most people a false security. They would think
> that packages are save just because they are signed. Without the
> signature people are more aware that what's in the box might not what's
> written on the outside.

 That's exactly the crap I was talking about. It's a misunderstanding of
how security works, and of the meaning of a signed object.
 Without using keys, there's already a "web of trust". We trust the
autobuilders now, if that machine gets compromised, it will be able to run
code as root in many Debian machines. Adding a signature won't make anyone
have to trust an additional entity, and won't ask for more trust either.
It's just validating an existing trust scheme. Now the trust from the
autobuilder flows to our machine via a very weak method (DNS, HTTP...).
Using signatures will add security to THAT flow of trust.

 The argument about "if packages are signed in any way, people will expect
FULL trust, ultimate trust" is fake too. This signature could be buried into
the package, and not shown to user the way signed messages are shown to
users in a mail reader. Only if the signature fails, dpkg would display
accurate information about what's going on.

Reply to:

References:
- Secure apt-get
  - From: Klaus Reimer <kay@debian.org>
- Re: Secure apt-get
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
- Packages and signatures
  - From: Nicolás Lichtmaier <nick@debian.org>
- Re: Packages and signatures
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>

Prev by Date: Re: Install and RAID
Next by Date: Re: Using XML to handle all configuration files
Previous by thread: Re: Packages and signatures
Next by thread: Re: Packages and signatures
Index(es):
- Date
- Thread