Re: [RFH] The need for signed packages and signed Releases (long, long)
>>"Ian" == Ian Jackson <email@example.com> writes:
Ian> - Debian ends up becoming a CA. Who will run this CA and
Ian> how will we maintain its security ?
You do not have X509 certificates. You can merely sign the ar
components with gpg keys; and Debian distributes the keyring (one can
also get the current keyring from a well known place on the
network). Perhaps the kayring itself can have a detached signature;
this is not so much more work to set up.
Ian> - What about third-party packages ? Do we end up being a CA
Ian> for third parties ?!
I can try and get the third party gpg key into my local
ketring with a decent web of trust; Debian need not be involved.
Ian> - What about revocation ? And how do we reconcile revocation
Ian> with the need to do offline installs, and installs from very old
Ian> physical media ?
If the key is revoked on the public/debian key servers, I'll know
when I update the keyring
Ian> - How do we stop an attacker who has compromised some Developer's
Ian> machine from using that Developer's key to get a trojan widely
Ian> installed ?
There is no such thing as absolute security.
This mechanism improves the security by narrowing the threat
cases; and gives us a chance to put into place a process that would
be better security than now.
Do not let perfect get in the way of better.
One of the disadvantages of having children is that they eventually
get old enough to give you presents they make at school. Robert Byrne
Manoj Srivastava <firstname.lastname@example.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C