Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Andreas Barth <aba@not.so.argh.org>
Date: Fri, 5 Dec 2003 10:44:48 +0100
Message-id: <[🔎] 20031205094448.GA27794@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20031204211418.GW582@dijkstra.csh.rit.edu>
References: <[🔎] 87fzg2hcx6.fsf@mrvn.homelinux.org> <[🔎] 20031203023731.GA582@dijkstra.csh.rit.edu> <[🔎] 87ptf6focp.fsf@mrvn.homelinux.org> <[🔎] 20031203190216.GH582@dijkstra.csh.rit.edu> <[🔎] 87u14hcpac.fsf@mrvn.homelinux.org> <[🔎] 20031204164750.GG582@dijkstra.csh.rit.edu> <[🔎] 878yls77za.fsf@glaurung.green-gryphon.com> <[🔎] 20031204194143.GR582@dijkstra.csh.rit.edu> <[🔎] 20031204205838.GA25511@nevyn.them.org> <[🔎] 20031204211418.GW582@dijkstra.csh.rit.edu>

* Matt Zimmerman (mdz@debian.org) [031204 22:25]:
> On Thu, Dec 04, 2003 at 03:58:38PM -0500, Daniel Jacobowitz wrote:
> > On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote:
> > > What kind of real world attacks do signed debs prevent?
> > > 
> > > The only one which comes to mind is a rogue Debian developer that you do
> > > not wish to trust, even though the project trusts him.

> > Someone pretending to be someone Manoj trusts, offering him a corrupted
> > .deb offline?
 
> s/offline/without the corresponding signed metadata/
> 
> The advantage would certainly appear to be one of convenience (keeping
> everything in one file), rather than security (preventing attacks).

If it is more convenient, than security actions are far more often
made.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to:

References:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Daniel Jacobowitz <dan@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: The term "Custom Debian Distribution" (Was Re: [custom] The term "flavor" and encouraging work on Debian)
Next by Date: Re: [custom] Debian Enterprise - packages
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread