[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

On Wed, Mar 27, 2002 at 12:52:17PM +1100, Brian May wrote:
> On Tue, Mar 26, 2002 at 08:23:34PM -0500, Ben Collins wrote:
> > The packages from Debian will have a unique origin sig ID (the key ID).
> > The polic will be looked up using this. IOW, it will search the policies
> > in:
> > 
> > 	/etc/debsig/policies/<debian key ID>/*.pol
> > 
> > For policies that can be used to verify the package. If you use a signed
> > package from mozilla.org, then their origin key ID will be different, so
> > it will look in:
> > 
> > 	/etc/debsig/policies/<mozilla key ID>/*.pol
> > 
> > So you see, the change is self-handled. Mozilla.org would simply have to
> > provide a policy file for you to use.
> I understand this much...
> > Someone else cannot provide a signed package that passes the Debian
> > signature policy. You cannot be forced into accepting package signatures
> > of unknown origin. It has to be a voluntary thing.
> But what happens if a new version of libc6 is signed by <mozilla key
> ID>???
> It will pass the Debian signature policy instead of the mozilla
> signature policy, but does this make any difference?

You do not understand. The origin key comes from dinstall, not the
maintainer. The origin key is the "global" key. You can have other
arbitrary keys in addition (e.g. Debian will have a maint key) that the
policy uses to further verify the package.

> Will the combination of apt-get and dpkg blindly install any packages
> that have been signed by <mozilla key> even though they are obviously
> nothing to do with mozilla? How can it tell?
> True - you are already trusting the mozilla maintainers not to mess up
> your system in the maintainer scripts, but I have some long term ideas
> on how this could be solved too. eg. use of selinux. I don't think
> we need to add to the problem here.

The system is not designed to trust things for you. You have to decide
the trust level. If you don't trust the mozilla.org key, then you should
not have it in your policy list.

> > > I have a number of ideas how this could be solved, but would be
> > > interested if anybody else has thought about these issues first.
> > 
> > Already solved. Please read all the referenced docs.
> I couldn't see anything that addresses this issue. Maybe there
> are documents in addition to those in /usr/doc/debsigs/
> that I haven't found?
> I agree that policy should be set by Debian, because some people won't
> want to do this themselves. However, I think a secure policy also needs
> the input of the local adminstrators, who know the security requirements
> of their local system.
> So for instance you can say:
> if (packagename equals "mozilla") {
>   require policy mozilla
> } else {
>   require policy debian
> }

This is rediculous. You cannot design around this.

> So even if you get a libc6 package, and it successfully meets the
> critiria for libc6, it will not get installed.

So if I understand you correctly, you are worried about mozilla.org
giving you a libc6 package (which you don't want) and it meeting the
signature criteria? That's not up to the signature system. You need to
configure apt-get to only get the packages you want from mozilla.org (in
this example). The signature is only meant to say "this package is
verified to come from this source, and not be tampered with". It is not
a mechanism to say "I only want certain packages from this place".

By the time your example gets to checking sigs, the depends have already
been figured and things have been downloaded by apt, and are trying to
be installed. It's too late at that point to reject a package you don't
want, given that it successfully meets the signature criteria. Apt-get
already has mechanism to control what packages from which sources you
want to take into account.

/       Ben Collins    --    Debian GNU/Linux       \
`               bcollins@debian.org                 '

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: