[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: packages authenticity



On Fri, Mar 30, 2001 at 02:56:53PM +0200, Tamas SZERB wrote:

> Hi, I was wondering it there is any authenticity checking for the debian
> package, because we signed the md5sum file with our gpg/pgp key, but how can
> the user to make sure if these signs belogs to the valid package maintainer?

Well the user can get the key from the public key servers and run gpg/pgp on
it.

> redhat packages are signed with the One Valid redhat key so I suggest to
> sign somehow like that.
> 
> Eg. packages done, there is the md5 sum, maintainer signs that, and when the
> package will be dinstalled, the Debian system signs it with the centralised
> key.

And what will the presence of a valid Debian signature tell the user? Only
that it has been dinstalled. It doesn't say that Debian has verified the
contents, or that there are no bugs in it, or that the maintainer can be
trusted...

> Or am I wrong and is there any other solution to check if the package is the
> original one, and isn't it hacked?

Check the signature against the maintainer's key. That's not impossible! If
your problem is that you do not have a trust relationship with the maintainer,
well... what trust relationship do you have with "Debian"? What is Debian? A
group of people. One of the requirements of becoming a Debian maintainer is to
get your key signed by another developper. That makes the web of trust that
you want to have a relationship with. So, if you don't trust the maintainer
himself, then also check if his key is signed by other developpers.

-------------------------------------------
Met vriendelijke groet / with kind regards,
  Guus Sliepen <guus@sliepen.warande.net>
-------------------------------------------
See also: http://tinc.nl.linux.org/
          http://www.kernelbench.org/
-------------------------------------------

Attachment: pgpgMwMYGXEnq.pgp
Description: PGP signature


Reply to: