Re: Packages and signatures
> > You forget compromised packages that would be necessary to track and renew.
> > Imagine that the site has been compromised for a month, now you need to get
> > all the people who downloaded packages, all the people who have burn CDs,
> > redownload/validate their packages. The effort is the same, and it should
> > be, becasue as I said at the begining of the thread.. adding a key only
> > validates an existing "flow of trust", it doesn't change its shape.
> I disagree. Consider the following two scenarios:
> A CD vendor presses a CD using the contents of the archive at time X, and the
> archive is compromised at X+k. The CD vendor does not need to worry about his
> CD contents.
> A CD vendor burns a CD using signed packages from the archive at time X, and
> the key(s) used to sign them is/are compromised at X+k. The CD vendor has a CD
> full of essentially unsigned packages (even though the packages are probably
> safe). The CD vendor needs to press new CDs.
> It is not a problem of differing security (it never was), but of validation.
The scenario you have just described doesn't have security danger for
anyone. Yes, having to revoke a key is annoying, and will probably disturb
people, but that's a diferent issue...! After the user updated the keys of
his system from the net the system will just say that the packages are
signed with a revoked key, and point to the relevant information. The
revocation could even have an URL included.
So, my point hasn't been refuted. There's no reason we shouldn't start
using package signatures now, with automatic signing by dinstall.