[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

On Tue, Nov 12, 2002 at 02:45:20PM -0600, Manoj Srivastava wrote:
> 	The objection to signed packages is one based on the truism
>  that signed packages can't be the _oinly_ mechanism; we do need a
>  trusted path like we have implemented now. But signed packages are a
>  welcome addendum to the security practices we implement.

You've expressed it far better than myself. I think we *need* package
signatures even if we are not going to make our trust model based on it. I
was going to comment Aj's mail (and will probably do as soon as I have
some spare time). But suffice to say that, even if Aj's fears on the
problems that signed packages don't fix I'm worried by the problems they
do fix, as well as the fact that we don't give our
users/developers/unofficial supporters managable tools to make package
signing easy.

They (and us) are stuck to manually checking signatures using data from 
outside the package and that is not better than having people put .tar.gz,
md5sums and gpg signatures for both on their (our?) download

Is it so difficult to start accepting signed packages? Let's say we don't
sign all of the current packages in the archive (to prevent the mirrors
from exploding due to the massive change) but we could allow developers to
upload signed packages and, maybe, in the (near?) future most of our
archive would be fully signed. We should have the necessary tools
(debsigs/debsigs-verify) in a useful shape also.

This does not mean that I don't agree with the Release model (which I do)
just that I think that a little more flexibility (and tools) would improve
our situation. 



Attachment: pgpYD3nmiyIkP.pgp
Description: PGP signature

Reply to: