[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

Ben Collins <bcollins@debian.org> writes:

> Already solved. Please read all the referenced docs.

I've browsed the policy document in the debsigs package, and here are
my comments:

        * This policy is not targeted at Debian as a whole, but at a
          company that wishes to add value to Debian packages by
          adding certain cryptographically signed attributes to them.

        * It is not clearly how replay attacks are dealt with
          (i.e. malicious mirror serving old, vulnerable version of
          software).  (This might an error of mine, because I'm not
          familiar with the Debian infrastructure.)

        * A scenario we might have to deal with in the future is the
          following: The maintainer of a hypothetical "relo" package
          ("remote login") receives a court order to plant a backdoor
          in this package. Suppose we notice it, shall we refuse all
          signatures of Debian developers from the same jurisdiction?

        * Some of the procedure of the document talk about "removing
          keys from the keyring", and not about revoking certification
          of keys (which would appear to be much more natural).  For
          the more open Debian infrastructure, we might actually need
          Web of Trust support.

        * Autobuilders are completely out of the scope of this policy.

Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: