Re: Revival of the signed debs discussion

To: Scott James Remnant <scott@netsplit.com>
Cc: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 02 Dec 2003 04:30:55 +0100
Message-id: <[🔎] 87k75fkia8.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 1070294218.31956.26.camel@elite>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070294218.31956.26.camel@elite>

Scott James Remnant <scott@netsplit.com> writes:

> On Mon, 2003-12-01 at 13:34, Goswin von Brederlow wrote:
> 
> > We have no continous trust chain going from the maintainer (also
> > meaning buildd + admin), ftp-master.d.o, mirrors to the user. A
> > compromised dinstall on master could replace binary uploads with
> > trojan versions without any user being able to detect it.
> > 
> A compromised dinstall on ftp-master could also replace the keyring
> package with a new one containing an extra key, used to sign the new
> package and any other package they felt like.

You don't check the signatur of a debian-keyring update against a
known good keyring? Maybe the debian-keyring package could add some
magic to its pre/postrm to check the new keyring on updates to do this
automatically.

> Assuming that level of compromise, there's no recent to suspect that
> they couldn't have free reign adding anything to the archive they
> wanted.  Signed .debs gain you nothing here.

You can detect such a compromised keyring easily if you realy care. So
for people who care the debian-keyring can't be compromised this
way. And then signed debs gain security (in the problem we face now
tih the archive).

> Anyway, I digress from this, I'm replying to point out that we have
> exactly the chain of trust you want:
> 
> 
> Download the source package components, verify their MD5 signatures
> against the Sources file, verify the MD5 signature of the Sources file
> against the Release file and verify that file's GPG signature.  This
> proves that the package has successfully passed through the ftp-master
> process and entered the archive.

This ensures no mirror-in-the-middle attack was performed as already
stated in the original mail.

> To verify this was uploaded by a Debian developer, go to
> http://lists.debian.org/debian-devel-changes/ and find the Accepted
> message, verify that message's GPG signature and verify the MD5
> signatures of the files in that against the real files (this contains
> uploaded .deb signatures too).

Thats possible as long as lists.debian.org is up and running. Also an
attacker to lists.debian.org could erase the archive or the archive
gets lost in a harddisk crash. What then? Rebuild every deb in stable,
testing and unstable?

The point of the excercise was that the changes files are not
available to the general public in a crisis situation like now and are
not easily available at normal times.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>

Prev by Date: Re: autoconf AC_SYS_LARGEFILE
Next by Date: Re: [custom] Re: Custom Debian Distributions (was: Re: Integrate Knoppix in Debian (was: Re: Debian Enterprise?))
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread