[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

> > > > The impact of a key is larger (good or bad) because it can be verified AFTER
> > > > the files LEFT ftp-master. (And all of them leave FTP-MASTER before the
> > > > ARRIVE at the user).
> > > 
> > > And it affects all packages instead of a strict subset.
> > 
> >  Compromising dinstall code compromises all packages, not a strict subset.
> 
> No, it only affects packages currently on Debian mirrors, and once the
> compromise is fixed, things return to normal.  If a trusted key were stolen, it
> could be used to sign packages and distribute them anywhere, and it is much
> harder to revoke a key from every Debian system than to repair a single system
> intrusion.
> Also, once the key is revoked, older packages (e.g., from previous releases)
> signed by that key can no longer be verified.

 It's nearly the same situation. In the case of a compromise, every package
in all the mirrors, and every package that has been downloadad by any user
would have to be considered as compromised. We would need to widely
publicize the fact and give people directions of what to do. Besides, since
we couldn't probably know since when the compromise was started, all old
packages (e.g. from previouse releases) would have to be rebuilt, or
reinstalled into master.
Reply to: