[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig: sign binary debian archive files

* Brian May (bam@debian.org) [031228 00:40]:
> On Sat, Dec 27, 2003 at 07:58:28PM +0100, Andreas Barth wrote:
> > This tools signs binary debian archive files (i.e. *.deb), and not
> > .changes and .dsc-files. So, there's only one existing tool at the
> > moment, debsigs.

> Somebody should probably highlight the differences between the
> this and the signature checking in apt 0.6.
> I gather this is per deb package, where the stuff in apt 0.6 is per
> archive.

Yes. This are two orthogonal issues.

> What are the pros/cons of each method?

- You can just trust an archive and don't need to care how the
  packages came into the archive
- Protects from attacks on the transport way (faked archive, DNS
  spoofing, bad mirror, ...).
- Difficult for partial mirrors

per deb:
- Traceability of each individual deb file ("who did it build", "who
  did it distribute", ...)
- Allow the end-users to perform verification (and so put away the
  single-point-of-failure named archive scripts) of the original

To be honest: I think we need both. That apt-secure is now merged into
apt is a very good step in my opinion.

> Also, how does dpkg-sig compare with debsigs?

That was the long list in the previous mail. debsigs was reviewed, and
some ideas were taken from there. However, the possibility to make
remote signatures was very important, so signature creation needed a
new way (and remote signatures are important for the buildd-admins, I
had some discussions on IRC).

Furthermore, in one of the next releases, dpkg-sig is able to also
verify signatures done by debsigs.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: