Re: Packages and signatures

[Matt Zimmerman <mdz@debian.org>]

On Sat, Jan 27, 2001 at 11:11:52PM -0300, Nicolás Lichtmaier wrote:

[please attribute my words in the future, it makes it easier to follow the
thread]
> > The Debian archive should be as secure as the current state of the systems
> > running it.  All packages everywhere would be at the mercy of a key
> > compromise that had occurred at any point in time.
> 
>  Remove "key" from the sentence, and it will still hold true.

Not so.  A compromise of a single server (or even multiple servers) can, with
finite effort, be cleaned, and the data replaced with known good data (this may
require restoring from backup, having maintainers upload new packages, etc.).
Meanwhile, access to the compromised system can be shut down.  Development
would be crippled, but the damage would be contained.

A compromised encryption key is much more difficult to fix.  In order to
control the damage, everyone who is trusting the key must be informed of its
revocation.  Rather than a single point at which to repair the intrusion, there
exists an arbitrarily large number of them.

-- 
 - mdz