Re: Revival of the signed debs discussion
* Goswin von Brederlow (email@example.com) [031203 03:25]:
> Henning Makholm <firstname.lastname@example.org> writes:
> > If an attacker compromises the buildd to the point where he can gain
> > access to its secret key, he could just as well attack its build
> > environment, or simply use his access to convincingly forge an email
> > to you, asking you to sign a malicious package.
> The maintainers signature is worth a bit more. If the buildd is
> compromised the onsite key can be used to create new packages at will
> and predate them to before the attack. With the maintainers key only
> packages build after the attack can be compromised and if the start of
> the attack can be determined only a few packages have to be removed.
If the archive maintainance script signs also the package (and the
signature does keep the signing time), than you don't gain extra
security by the extra signature. The only case where you would gain
anything is if an attacker gets both keys under his own control.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C