[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Mon, 2003-12-01 at 13:34, Goswin von Brederlow wrote:

> We have no continous trust chain going from the maintainer (also
> meaning buildd + admin), ftp-master.d.o, mirrors to the user. A
> compromised dinstall on master could replace binary uploads with
> trojan versions without any user being able to detect it.
A compromised dinstall on ftp-master could also replace the keyring
package with a new one containing an extra key, used to sign the new
package and any other package they felt like.

Assuming that level of compromise, there's no recent to suspect that
they couldn't have free reign adding anything to the archive they
wanted.  Signed .debs gain you nothing here.

Anyway, I digress from this, I'm replying to point out that we have
exactly the chain of trust you want:

Download the source package components, verify their MD5 signatures
against the Sources file, verify the MD5 signature of the Sources file
against the Release file and verify that file's GPG signature.  This
proves that the package has successfully passed through the ftp-master
process and entered the archive.

To verify this was uploaded by a Debian developer, go to
http://lists.debian.org/debian-devel-changes/ and find the Accepted
message, verify that message's GPG signature and verify the MD5
signatures of the files in that against the real files (this contains
uploaded .deb signatures too).

Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: