Re: Revival of the signed debs discussion

To: Andreas Barth <aba@not.so.argh.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 06 Dec 2003 20:50:45 +0100
Message-id: <[🔎] 87n0a5afoq.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20031206125349.GA26236@mails.so.argh.org>
References: <[🔎] 87ptf6focp.fsf@mrvn.homelinux.org> <[🔎] 20031203190216.GH582@dijkstra.csh.rit.edu> <[🔎] 87u14hcpac.fsf@mrvn.homelinux.org> <[🔎] 20031204164750.GG582@dijkstra.csh.rit.edu> <[🔎] 878yls77za.fsf@glaurung.green-gryphon.com> <[🔎] 20031204194143.GR582@dijkstra.csh.rit.edu> <[🔎] 87d6b34mjf.fsf@glaurung.green-gryphon.com> <[🔎] 1070647822.16250.12.camel@bohr.local> <[🔎] 87d6b2bobz.fsf@mrvn.homelinux.org> <[🔎] 87ptf2dv06.fsf@kreon.lan.henning.makholm.net> <[🔎] 20031206125349.GA26236@mails.so.argh.org>

Andreas Barth <aba@not.so.argh.org> writes:

> * Henning Makholm (henning@makholm.net) [031206 13:25]:
> > Scripsit Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
> > > If a package is compromised we can proof that the DD of the package
> > > either is malicious or incompetent.
>  
> > Say, we just had a major compromise on certain Debian machines. Pray
> > tell, who do you think this proves is malicious or incompetent? We'd
> > certainly want to toss out the culprit ASAP.

If a mail goes around saying the key of xyz got compromised I would
block any package with that key from getting installed (given signed
debs), in a heartbeet.

How or what is to blame can be sorted out later.

> IMHO there can also be a third explanation: "Bad luck". But this also
> nullifies the trust in any keys on any compromised machine - and the
> administrators did replace the keys.

And currently its very hard to remove packages build by a compromised
maintainer from a local system or even check if one has any.

MfG
        Goswin

Reply to:

References:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Anthony DeRobertis <asd@suespammers.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Henning Makholm <henning@makholm.net>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>

Prev by Date: Re: Building Debian Completely From Source
Next by Date: Re: Requirements on signatures on debs (was: Revival of the signed debs discussion)
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread