Re: Revival of the signed debs discussion
Bernd Eckenfels <firstname.lastname@example.org> writes:
> On Wed, Dec 03, 2003 at 03:17:20AM +0100, Goswin von Brederlow wrote:
> > What the admins signature can gives us is a trusted timestamp and
> > another pair of eyes reading the changes files.
> Well, a trusted timestamp can be added/required by a third party. No need to
> bother a build admin with signing of packages he cannot verify.
> Just make a small web service which is receiving an
> <packagename,version,hash> string and answer with a signed timestamp. There
> are even services like that out there on the net.
If there is no person sitting there signing it manually its useless.
The buildd admin is already signing every changes file before upload
so he is the logical person for signing debs too.
> > Don't get me wrong, I'm all for an gpg key on the buildd to sign every
> > deb. Not as replacement to at least one person glancing over the
> > result but as an extra measure.
> How often has this person glance over the results? As I understand debian
> build daemons run unattended and build continously. Correct me when I am wrong here.
> But if I asume righ, I dont want to lose that processing speed, especially
> since it can be easyly compensated with "3rd party" timestamps.
In theory every build log is read. In praxis I believe all buildd
admins scroll through the log and look for some obvious signs of
errors before signing. I don't expect them to read a 17 MB logfile
line by line for example.
But even without reading having an actual person handling the signing
has advantages. In case a buildd is compromised the signing still
isn't. The attacker can't start and upload 500 backdoor packages
pretending to be something else without raising red flags. Also
failures in the buildd behaviour have to be cought, like building
empty debs all of a sudden. A quick glance at the package contents
listed in the build log will detect that.