[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Matt Zimmerman <mdz@debian.org> writes:

> On Thu, Dec 04, 2003 at 03:03:39AM +0100, Goswin von Brederlow wrote:
> 
> > Signed debs establish a trust chain from the buildd to the user and
> > from the buildd-admin/maintainer to the user as well as copy the
> > existing trust chain from ftp-master to the user into the deb itself.
> > 
> > The Release.gpg only protects against a mirror being hacked. Checking
> > it is important but not as powerfull as a signature in the deb.
> 
> This sounds backwards.
> 
> Release signing protects against a hostile or compromised mirror, network,
> DNS server, proxy server, and a host of other, similar attacks, and also
> prevents most forms of the "substitute old, vulnerable packages" attack.

Any compromise happening before the package left ftp-master.d.o is not
covered by this. That means that if master is compromised a vulnerable
binary can be slipped into the archive and nothing will detect it.

> What kind of real world attacks do signed debs prevent?  Not a compromised
> buildd, or a compromised maintainer's workstation.

A compromised master will be caught by this.

There is no protection possible against a compromised buildd,
compromised maintainer's workstation or a malicious maintainer short
of a intelligent AI. Saying something doesn't protect us against that
is a non argument.

To sum it up, advantages of signed debs are:

1. chain of trust from buildd to user
 or
   chain of trust from maintainer to user
(currently roughly present when debian-arch-changes mailinglist is subscribed)

2. chain of trust from ftp-master to user
(currently temporary present through Release.gpg as long as the deb is
in archive)

3. easy verification, automatic verification with users preferences

   NMUs, hijacks, adoptions, ... can be deteced and judged on a key by
   key basis if one desires

4. lasting signature

   The Release.gpg signatur only lasts as long as the file is in
   archive. Even changes to files without version change are
   undetected once Release.gpg has been rebuild.

5. Trust is kept for partial mirrors, apt-move, apt-zip, debian based
   distributions, custom CDs, ...

   E.g. Progency can use Debian debs and they can still be verified to
   be original. Or the daily D-I images.

Drawbacks:
132 Byte size increase per signature

MfG
        Goswin
Reply to: