Re: [RFH] The need for signed packages and signed Releases (long, long)
>>"Ian" == Ian Jackson <ian@davenant.greenend.org.uk> writes:
Ian> - Debian ends up becoming a CA. Who will run this CA and
Ian> how will we maintain its security ?
You do not have X509 certificates. You can merely sign the ar
components with gpg keys; and Debian distributes the keyring (one can
also get the current keyring from a well known place on the
network). Perhaps the kayring itself can have a detached signature;
this is not so much more work to set up.
Ian> - What about third-party packages ? Do we end up being a CA
Ian> for third parties ?!
I can try and get the third party gpg key into my local
ketring with a decent web of trust; Debian need not be involved.
Ian> - What about revocation ? And how do we reconcile revocation
Ian> with the need to do offline installs, and installs from very old
Ian> physical media ?
If the key is revoked on the public/debian key servers, I'll know
when I update the keyring
Ian> - How do we stop an attacker who has compromised some Developer's
Ian> machine from using that Developer's key to get a trojan widely
Ian> installed ?
There is no such thing as absolute security.
This mechanism improves the security by narrowing the threat
cases; and gives us a chance to put into place a process that would
be better security than now.
Do not let perfect get in the way of better.
manoj
--
One of the disadvantages of having children is that they eventually
get old enough to give you presents they make at school. Robert Byrne
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: