Re: [RFH] The need for signed packages and signed Releases (long, long)

[Andrew Suffield <asuffield@debian.org>]

On Wed, Nov 13, 2002 at 03:11:22PM +1000, Anthony Towns wrote:
> It's fine for partial mirrors and personal CD sets: you need a Packages
> file for both of those, and if you're using the Debian one you can use
> the Debian Release{,.gpg}, if you're not, you need to set up your own
> trust path.
> 
> For non-Debian stuff, like people.debian.org repositories, stuff that
> third parties distribute, whatever, debsigs are an entirely useful tool.
> But afaics, you can already do that if you like, and that's not an
> argument for including them in the archive.

To be decently secure, you need the target system to refuse to accept
packages that don't have an acceptable trust path. That basically
means that one tool has got to check all the signatures, whether they
be on Release files or on individual .debs.

One approach is to write a new tool, or extend an existing one, to do
this. Another is to make the same kind of signatures available on all
packages. This can form an argument for including such signatures in
the archive (although I don't think it's a very good one. but it might
be "good enough" if including such signatures is relatively easy).

I'd rather see the .changes signatures made easily available to
clients, though. That way means we don't have to sign all the packages
currently in the archive.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ | Dept. of Computing,
 `. `'                          | Imperial College,
   `-             -><-          | London, UK