Re: Packages and signatures
On Sun, Jan 28, 2001 at 03:03:06AM -0300, Nicolás Lichtmaier wrote:
> On Sat, Jan 27, 2001 at 10:45:12PM -0500, Matt Zimmerman wrote:
> > Not so. A compromise of a single server (or even multiple servers) can,
> > with finite effort, be cleaned, and the data replaced with known good data
> > (this may require restoring from backup, having maintainers upload new
> > packages, etc.). Meanwhile, access to the compromised system can be shut
> > down. Development would be crippled, but the damage would be contained.
>
> You forget compromised packages that would be necessary to track and renew.
> Imagine that the site has been compromised for a month, now you need to get
> all the people who downloaded packages, all the people who have burn CDs,
> redownload/validate their packages. The effort is the same, and it should
> be, becasue as I said at the begining of the thread.. adding a key only
> validates an existing "flow of trust", it doesn't change its shape.
I disagree. Consider the following two scenarios:
A CD vendor presses a CD using the contents of the archive at time X, and the
archive is compromised at X+k. The CD vendor does not need to worry about his
CD contents.
A CD vendor burns a CD using signed packages from the archive at time X, and
the key(s) used to sign them is/are compromised at X+k. The CD vendor has a CD
full of essentially unsigned packages (even though the packages are probably
safe). The CD vendor needs to press new CDs.
It is not a problem of differing security (it never was), but of validation.
--
- mdz
Reply to: