Re: Revival of the signed debs discussion
On Tue, Dec 02, 2003 at 11:07:53AM +0100, Andreas Barth wrote:
> * Joey Hess (firstname.lastname@example.org) [031202 02:55]:
> > Goswin von Brederlow wrote:
> > > What can we do with deb signatures?
> > >
> > > For our current problem, the integrity of the debian archive being
> > > questioned, the procedure would be easy and available to every user:
> > >
> > > 1. get any clean Debian keyring (or just the key signing the keyring)
> > > 2. verify the latest Debian keyring
> > > 3. verify that each deb was signed by a DD and the signature fits
What precautions are taken that the DD actually signed it with the DD's
private key? After all this compromise was due to a DD's machine being
compromised. I don't think you can audit every DD's workstation to make
sure the keys are well managed.
Set aside the possibility that the DD herself is actually the attacker.
You have to have an answer for these remote possibilities. (Things tend
to get maximally bad).
> > The canoical attack against signed debs in this situation is to find a
> > signed deb on snapshot.debian.net that contains a known security hole.
> To avoid this attack, it is necessary that the filename of the deb or
> the version of the package is also signed.