Re: Revival of the signed debs discussion

To: Scott James Remnant <scott@netsplit.com>
Cc: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 03 Dec 2003 02:52:11 +0100
Message-id: <[🔎] 87k75ehdmc.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 1070391189.31959.41.camel@elite>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070294218.31956.26.camel@elite> <[🔎] 87k75fkia8.fsf@mrvn.homelinux.org> <[🔎] 1070391189.31959.41.camel@elite>

Scott James Remnant <scott@netsplit.com> writes:

> No Cc was necessary, I am subscribed to debian-devel.
> 
> On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote:
> 
> > Scott James Remnant <scott@netsplit.com> writes:
> > 
> > > A compromised dinstall on ftp-master could also replace the keyring
> > > package with a new one containing an extra key, used to sign the new
> > > package and any other package they felt like.
> > 
> > You don't check the signatur of a debian-keyring update against a
> > known good keyring? Maybe the debian-keyring package could add some
> > magic to its pre/postrm to check the new keyring on updates to do this
> > automatically.
> > 
> Personally I don't actually have a copy of debian-keyring installed; but
> I tend to be against automatic checking of this kind, if a key's going
> to be trusted I want to be the one who marks it as trusted.
> 
> > > Assuming that level of compromise, there's no recent to suspect that
> > > they couldn't have free reign adding anything to the archive they
> > > wanted.  Signed .debs gain you nothing here.
> > 
> > You can detect such a compromised keyring easily if you realy care. So
> > for people who care the debian-keyring can't be compromised this
> > way. And then signed debs gain security (in the problem we face now
> > tih the archive).
> > 
> I'm still not convinced how they do gain you security?  The assumption
> that the MD5 signature and Release GPG signature isn't sufficient is
> that the key is stored on a machine that can be compromised.  The same
> applies to the keyring itself, so if I can compromise one, surely I can
> compromise the other.
> 
> Convince me :-)

I sure hope the debian keyring is not signed with a key laying around
openly on master. From the last DSA I saw that some DDs had their
private keys on debians servers which makes me realy worry.

> > The point of the excercise was that the changes files are not
> > available to the general public in a crisis situation like now and are
> > not easily available at normal times.
> > 
> I'm not sure how you figure that they aren't easily available, the
> list.d.o archive is "easily available".  That being said, I'm not

lists.d.o was compromised and offline. Also only the original
uploaders changes files mailinglist is archived, the changes files for
buildd build packages not.

> objecting to putting them anywhere else either, I'm just pointing out
> that they are publicly available.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>

Prev by Date: Re: libc6 bug? or C programming error?
Next by Date: Re: UserLinux white paper
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread