Re: Revival of the signed debs discussion
Henning Makholm <firstname.lastname@example.org> writes:
> Scripsit Wouter Verhelst <email@example.com>
> > Requiring us to log in to the autobuilder to sign the .deb remotely is
> > not acceptable, for two reasons:
> > * it's way too much work for most of us
> > * it requires copying the secret key over, which is, uh, a bad idea.
> Um, perhaps this is really stupid but: Since the signature on an
> autobuilt .deb is not really worth more than the security of the
> autobuilder, wouldn't it make sense to give the autobuilder its own
> keypair that it stores locally with no passphrase and uses to sign
> packages unattended?
> If an attacker compromises the buildd to the point where he can gain
> access to its secret key, he could just as well attack its build
> environment, or simply use his access to convincingly forge an email
> to you, asking you to sign a malicious package.
The maintainers signature is worth a bit more. If the buildd is
compromised the onsite key can be used to create new packages at will
and predate them to before the attack. With the maintainers key only
packages build after the attack can be compromised and if the start of
the attack can be determined only a few packages have to be removed.
What the admins signature can gives us is a trusted timestamp and
another pair of eyes reading the changes files.
Don't get me wrong, I'm all for an gpg key on the buildd to sign every
deb. Not as replacement to at least one person glancing over the
result but as an extra measure.