Re: [RFH] The need for signed packages and signed Releases (long, long)
On Wed, 2002-11-13 at 21:03, Ian Jackson wrote:
> This will be obvious to the more observant reader, of course, but it's
> worth static because putting it this way makes it clear how difficult
> the hurdles are to overcome. Questions abound:
> - Debian ends up becoming a CA. Who will run this CA and
> how will we maintain its security ?
> - What about third-party packages ? Do we end up being a CA
> for third parties ?!
> - What about revocation ? And how do we reconcile revocation
> with the need to do offline installs, and installs from very old
> physical media ?
> Another question that wants to be asked is:
> - How do we stop an attacker who has compromised some Developer's
> machine from using that Developer's key to get a trojan widely
> installed ?
Im not a developer but, how about having just one key(one for each
stable release?) that the build-ds use to sign all packages. Then the
dd's sign the source packages they upload to the build-ds. Also
third-parties could get their keys signed by the official Debian keys
which would allow them to install their packages on a Debian system.
Otherwise apt or dpkg could just complian loudly if the package is not
signed and only allow installation if a --force-* switch is used.