On Tue, Nov 12, 2002 at 02:45:20PM -0600, Manoj Srivastava wrote: > > The objection to signed packages is one based on the truism > that signed packages can't be the _oinly_ mechanism; we do need a > trusted path like we have implemented now. But signed packages are a > welcome addendum to the security practices we implement. > You've expressed it far better than myself. I think we *need* package signatures even if we are not going to make our trust model based on it. I was going to comment Aj's mail (and will probably do as soon as I have some spare time). But suffice to say that, even if Aj's fears on the problems that signed packages don't fix I'm worried by the problems they do fix, as well as the fact that we don't give our users/developers/unofficial supporters managable tools to make package signing easy. They (and us) are stuck to manually checking signatures using data from outside the package and that is not better than having people put .tar.gz, md5sums and gpg signatures for both on their (our?) download areas. Is it so difficult to start accepting signed packages? Let's say we don't sign all of the current packages in the archive (to prevent the mirrors from exploding due to the massive change) but we could allow developers to upload signed packages and, maybe, in the (near?) future most of our archive would be fully signed. We should have the necessary tools (debsigs/debsigs-verify) in a useful shape also. This does not mean that I don't agree with the Release model (which I do) just that I think that a little more flexibility (and tools) would improve our situation. Regards Javi
Attachment:
pgpeBB1XEcXmP.pgp
Description: PGP signature