Re: [RFH] The need for signed packages and signed Releases (long, long)

To: debian-devel@lists.debian.org
Subject: Re: [RFH] The need for signed packages and signed Releases (long, long)
From: Robert Lemmen <robertle@semistable.com>
Date: Thu, 14 Nov 2002 18:40:51 +0700
Message-id: <[🔎] 20021114114051.GA1000@semistable.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20021113142540.GA6735@azure.humbug.org.au>
References: <[🔎] 20021112143711.GA6850@dat.etsit.upm.es> <[🔎] 20021113134205.GB397@semistable.com> <[🔎] 20021113142540.GA6735@azure.humbug.org.au>

On Thu, Nov 14, 2002 at 12:25:40AM +1000, Anthony Towns wrote:
> > i also think that when signing releases it is important to timestamp
> > them and touch-resign them in fixed intervals, so you can be sure that
> > you are not getting a stale release file.
> 
> While doing all this copious thinking, you might like to do something like
> 
> $ lynx -dump http://ftp.debian.org/dists/sid/Release | grep Date:
> Date: Tue, 12 Nov 2002 20:38:39 UTC
> 
> just to see if your thoughts are actually anything new.

which leaves the second part. if you timestamp and sign a release file
you only say that it has been a "good" release at some time. if you want
to narrow the window of opportunity for someone to hand me an old
release file and an according package with known security flaws you need
to make new release files peridoically, even if nothing in it has
changed, and the script that checks this has to be aware of this fact
and warn you if you get a release file that is older than that. unstable
and testing change often enough, but stable and security would need this
mechanism, which also means that you need something like apt-pupdate so
you don't have to download the release file because of the new
timestamp.

> > i have the impression that a lot of people don't realise how important
> > this is. don't you get shivers everytime you do an apt-get upgrade and
> 
> No, I don't, since I've trained myself to type `apt-check-sigs' after
> ever `apt-get update'. (And the only debs I install through anything
> other than apt are ones I've made myself these days)

but it should be much easier to train apt to do that then train every
single user to do so. hopefully there will be more non-technical users
among those that use debian in the future and, apart from being ignorant
about things like signed packages, it's unlikely that they install and
use a package to check the sigs if they don't have to.

in the moment i also have only apt-gotten and locally built packages,
but that has also been different at times. and if someone chooses to use
debs to distribute his software we should appreciate that and give her
the opportunity to deliver it to her users in a secure way, even if it
is not in the debian distribution. and therefore signed debs would be
nice. but i accept that signed releases would do most of the time and
are a good step into the right direction.

last but not least i don't understand why you could have a problem with
the things descirbed above, because we don't trade anything in for it.
or only extremly little.

regards  robert

Reply to:

Follow-Ups:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Anthony Towns <aj@azure.humbug.org.au>

References:
- [RFH] The need for signed packages and signed Releases (long, long)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Robert Lemmen <robertle@semistable.com>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: Discussion - non-free software removal
Next by Date: Re: Discussion - non-free software removal
Previous by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Next by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Index(es):
- Date
- Thread