Re: Revival of the signed debs discussion
Matt Zimmerman <firstname.lastname@example.org> writes:
> On Wed, Dec 03, 2003 at 06:43:18AM +0100, Goswin von Brederlow wrote:
> > Matt Zimmerman <email@example.com> writes:
> > > On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote:
> > >
> > > > But this kind of tampering _can_ be checked by apt before installing
> > > > the deb simply by adding a signature verifyer into the
> > > > DPkg::Pre-Install-Pkgs config option, the same mechanism
> > > > apt-listchanges already uses to display only the new section of the
> > > > changelog.
> > >
> > > Indeed, apt can do a lot better, and is very close to doing so. See #203741.
> > The assumption was that the archive was compromised but the Release.gpg
> > file changed and resigned.
> Who was assuming this? At any rate, protecting the secret key is of course
> the weakest link in any public key cryptosystem, and I don't see what that
> has to do with apt.
Signed debs establish a trust chain from the buildd to the user and
from the buildd-admin/maintainer to the user as well as copy the
existing trust chain from ftp-master to the user into the deb itself.
The Release.gpg only protects against a mirror being hacked. Checking
it is important but not as powerfull as a signature in the deb.
> > #203741 is about checking the
> > Release.gpg chain of trust or is there more hidden in all the mails.
> Yes, that is what it is about.
> > Did the BTS reoder the mails, there don't seem to follow a locigal
> > discussion. Haven't bothered to check the timestamps though.
> Messages from discussions in other fora (including private mail) were later
> copied to the BTS.
That explains it.