[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

Javier Fernández-Sanguino Peña writes ("[RFH] The need for signed packages and signed Releases (long, long)"):
> The needs are:

You have missed the key point.  For package signatures to provide any
significant benefits you need the following:

* The system must refuse to install unsigned packages (by default).

If the system automatically installs unsigned packages, then there is
no point in putting the signatures on, since an attacker can simply
not sign their trojan package.

This will be obvious to the more observant reader, of course, but it's
worth static because putting it this way makes it clear how difficult
the hurdles are to overcome.  Questions abound:

 - Debian ends up becoming a CA.  Who will run this CA and
   how will we maintain its security ?
 - What about third-party packages ?  Do we end up being a CA
   for third parties ?!
 - What about revocation ?  And how do we reconcile revocation
   with the need to do offline installs, and installs from very old
   physical media ?

Another question that wants to be asked is:

 - How do we stop an attacker who has compromised some Developer's
   machine from using that Developer's key to get a trojan widely
   installed ?


Reply to: