Re: Revival of the signed debs discussion

To: Anthony DeRobertis <asd@suespammers.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 06 Dec 2003 04:46:24 +0100
Message-id: <[🔎] 87d6b2bobz.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 1070647822.16250.12.camel@bohr.local>
References: <[🔎] 20031202144535.GA18163@kitenet.net> <[🔎] E1ARDy4-0000m0-LO@mid.downhill.at.eu.org> <[🔎] 20031202194241.GC22593@kitenet.net> <[🔎] 87fzg2hcx6.fsf@mrvn.homelinux.org> <[🔎] 20031203023731.GA582@dijkstra.csh.rit.edu> <[🔎] 87ptf6focp.fsf@mrvn.homelinux.org> <[🔎] 20031203190216.GH582@dijkstra.csh.rit.edu> <[🔎] 87u14hcpac.fsf@mrvn.homelinux.org> <[🔎] 20031204164750.GG582@dijkstra.csh.rit.edu> <[🔎] 878yls77za.fsf@glaurung.green-gryphon.com> <[🔎] 20031204194143.GR582@dijkstra.csh.rit.edu> <[🔎] 87d6b34mjf.fsf@glaurung.green-gryphon.com> <[🔎] 1070647822.16250.12.camel@bohr.local>

Anthony DeRobertis <asd@suespammers.org> writes:

> On Fri, 2003-12-05 at 04:54, Manoj Srivastava wrote:
> 
> > > The only one which comes to mind is a rogue Debian developer that
> > > you do not wish to trust, even though the project trusts him.
> > 
> > 	Not quite. The signed deb is non-repudiable authorship -- nice
> >  to know whence the software cometh.
> 
> No it isn't. For it to be non-repudiable, you'd have to demonstrate that
> the key has not been compromised; that the developer knew what he was
> signing (as opposed to a trojaned gpg telling him one thing while doing
> another); etc. Proving those is quite impossible --- especially if he
> doesn't want you to: He can always compromise his own key, on purpose.

If a package is compromised we can proof that the DD of the package
either is malicious or incompetent. Two good reasons to exclude
packages signed by him in the future. :)

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Henning Makholm <henning@makholm.net>
- Re: Revival of the signed debs discussion
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: debsums for maintainer scripts
Next by Date: Re: Building Debian Completely From Source
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread