Re: Packages and signatures
Quoting Manoj Srivastava (email@example.com):
> >>"Michael" == Michael Neuffer <firstname.lastname@example.org> writes:
> Michael> How are the autobuilders doing it at the moment ?
> Michael> IIRC the resulting binary packages are not beeing signed by the
> Michael> maintainers anymore, or by somebody maintaining one of the
> Michael> autobuilders.
> Michael> The sheer volume of packages beeing build for the growing number
> Michael> of architectures makes it hmmmmm... at least inpractical as long
> Michael> as we do not have a full time package signer paid by somebody.
> Michael> I would consider the autobuilders as a kind of trusted entity
> Michael> that is able to sign the resulting packages itself.
> I would then expect a serious hardening of the machine the
> build daemons sit on, with seriously restricted access, and as much
> as possible of the auto build process to be trip wire checksummed.
> I am not sure how much trust one can put into an automated
> process, though, that signs things; unless one can have trust in the
> checks that the process makes, and establish and end to end trusted
> chain of events. At a minimum:
> a) the debian key-ring is validated and checksummed (checksum on
> non-writable media)
> b) The signatures of the original developer on the source package are
> c) The machine was installed from trusted packages, and has not been
> compromised( a tripwire check on the machine should be normal
> I generally keep /boot and /usr mounted read only. Indeed, for
> specialized build machines, that can be done too.
Yes, I thought those were obvious necessary preconditions to
be an "trusted (automated) entity".
Those machines have to be hardened as much as possible and
have restricted access.
And to turn the argument around, this is also why I (not to offend
anybody) do not trust the "common" Debian developer as much.
How many are that security concious with the machines where they
build their packages ? Do they have clean environments ?
How well are they firewalled, did they check for security breaches
before compiling and uploading the packages ?
CVS archives, where one can trace any change to the source, in
combination with the _trusted_ _secure_ autobuilders that
bootstrap the distribution, one can be fairly sure not to get
compromised binary packages. And of course all packages need
to be signed and those signatures should be checked at all stages.
It should not be possible to install packages with unknown
signatures without answering a question. "Are you sure you want to
add this package <foo> ? It dos not have a (known) signature !"
Of course you should be able to add keys to the keyring
of "people" that you explicitely trust so that you do not get this
message and are able to do unattendet installs/updates. But this is
then a local decision not affecting anybody else.