Re: debsigs

[Ben Collins <bcollins@debian.org>]

On Wed, Mar 27, 2002 at 12:06:54PM +1100, Brian May wrote:
> On Tue, Mar 26, 2002 at 07:46:55PM -0500, Ben Collins wrote:
> > > Another comment: how is this/will this be intergrated with something
> > > like apt-get? Will it be possible to have rules like "package x needs
> > > to comply with policy x, package y needs to comply with policy y, all
> > > others need to comply with the Debian release policy for woody?"
> > 
> > No, read the docs. The policy is enforced by the origin and policy files
> > (IOW, we decide it, it isn't arbitrarily up to the user). Dpkg has the
> > ability to invoke the sig checker (not apt).
> 
> My interpretation of the docs + that statement (and I haven't seen any
> docs that say checking will be done in dpkg FYI, so I might be wrong) is
> that dpkg just gets a boolean value: false: no policy is valid for this
> package; or true: at least one policy is valid for the package.
> 
> So what will happen if I want to use debian woody (assume it will
> support this for the purpose of discussion) for all packages, but I
> want to use the version of mozilla that somebody else (lets say X) has
> compiled and put online their website?
> 
> This *is* something which is arbitrarily and needs to be decided
> by the user.

The packages from Debian will have a unique origin sig ID (the key ID).
The polic will be looked up using this. IOW, it will search the policies
in:

	/etc/debsig/policies/<debian key ID>/*.pol

For policies that can be used to verify the package. If you use a signed
package from mozilla.org, then their origin key ID will be different, so
it will look in:

	/etc/debsig/policies/<mozilla key ID>/*.pol

So you see, the change is self-handled. Mozilla.org would simply have to
provide a policy file for you to use.

The reason it is handled this way is to not only verify the signature,
but the origin.

> Just because I trust person X to provide a good copy of mozilla doesn't
> mean that I want to suddenly start receiving their compiled copies of,
> say libc6 from their website too.

Someone else cannot provide a signed package that passes the Debian
signature policy. You cannot be forced into accepting package signatures
of unknown origin. It has to be a voluntary thing.

> I have a number of ideas how this could be solved, but would be
> interested if anybody else has thought about these issues first.

Already solved. Please read all the referenced docs.

The only problem we have at this moment, is the authenticity of the
policy files. Chicken and egg situation. IMO, we need a policy authority
(perhaps Debian sponsored) that would verify policy files. Work on this
:)

-- 
 .------==-=======--------=====------------=-=-----.
/       Ben Collins    --    Debian GNU/Linux       \
`               bcollins@debian.org                 '
 `---=========---====----------==-===-------=--=---'


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org