[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Wouter Verhelst <wouter@grep.be> writes:

> Op wo 03-12-2003, om 10:09 schreef Andreas Barth:
> > > > file back signed by the build admin. The debian archive scripts
> > > > accepts packages signed by a buildd-key only if it is a binary package
> > > > for this architecture, the key is valid (i.e. in the right year), and
> > > > this package has been handed out to this autobuilder for building.
> > > 
> > > Valid for the autobuilder the package has been handed to and that send
> > > it in and if the changes file is correct.
> > > 
> > > But what if the buildd failed and someone manually build the deb,
> > > signes it and uploads? The debian archive scripts would need a way to
> > > distinguish between autobuild packages and manually build binary-only
> > > uploads.
> I don't see why that would be the case. Could you elaborate?

Thats if the archive checks buildd signatures against buildd admin
signatures and normal uploads against the right maintainer. That would
prevent a gone mad DD from hacking into a DD, stealing the key and
upload packages with that and his signature.

Well, gone mad DD is unlikely. But a compromised DD key could be used
with a hacked buildd to upload packages. Restricting buildd uploads to
the buildd admin (and some backup people) would prevent that.

Any upload not done by either the real maintainer or the buildd +
buildd-admin signature could be droped into the delayed queue. That
would include NMUs and hijacks automatically. _If_ a plausibility
check is done on the signature that should not be restricted just to
buildd admins.

> > The archive script would of course continue to accept any deb by any
> > DD under the same conditions as today. The question to the
> > buildd-admins is: How often does this happen?
> Hardly ever, if at all. Most "manual" bin-NMU's are done by people that
> are not buildd admins.
> > Does this need special
> > handling, or is it ok for them if they sign in these rare cases with
> > their normal key?
> I don't see why that wouldn't be the case (but perhaps that's related to
> the above)

As long as any DD can just upload anything it doesn't matter. Only if
signatures are check for plausibility there is a gain of splitting the
buildd admin signature and his normal personal signature.

The buildd gpg key could be group owned in that case and would get
refreshed every time a member of the group leaves.


Reply to: