Re: [RFH] The need for signed packages and signed Releases (long, long)

[Scott Henson <shenson2@silvercoin.dyndns.org>]

On Wed, 2002-11-13 at 21:03, Ian Jackson wrote:
> This will be obvious to the more observant reader, of course, but it's
> worth static because putting it this way makes it clear how difficult
> the hurdles are to overcome.  Questions abound:
> 
>  - Debian ends up becoming a CA.  Who will run this CA and
>    how will we maintain its security ?
>  - What about third-party packages ?  Do we end up being a CA
>    for third parties ?!
>  - What about revocation ?  And how do we reconcile revocation
>    with the need to do offline installs, and installs from very old
>    physical media ?
> 
> Another question that wants to be asked is:
> 
>  - How do we stop an attacker who has compromised some Developer's
>    machine from using that Developer's key to get a trojan widely
>    installed ?
Im not a developer but, how about having just one key(one for each
stable release?) that the build-ds use to sign all packages.  Then the
dd's sign the source packages they upload to the build-ds.  Also
third-parties could get their keys signed by the official Debian keys
which would allow them to install their packages on a Debian system. 
Otherwise apt or dpkg could just complian loudly if the package is not
signed and only allow installation if a --force-* switch is used.