No Cc was necessary, I am subscribed to debian-devel. On Tue, 2003-12-02 at 03:30, Goswin von Brederlow wrote: > Scott James Remnant <scott@netsplit.com> writes: > > > A compromised dinstall on ftp-master could also replace the keyring > > package with a new one containing an extra key, used to sign the new > > package and any other package they felt like. > > You don't check the signatur of a debian-keyring update against a > known good keyring? Maybe the debian-keyring package could add some > magic to its pre/postrm to check the new keyring on updates to do this > automatically. > Personally I don't actually have a copy of debian-keyring installed; but I tend to be against automatic checking of this kind, if a key's going to be trusted I want to be the one who marks it as trusted. > > Assuming that level of compromise, there's no recent to suspect that > > they couldn't have free reign adding anything to the archive they > > wanted. Signed .debs gain you nothing here. > > You can detect such a compromised keyring easily if you realy care. So > for people who care the debian-keyring can't be compromised this > way. And then signed debs gain security (in the problem we face now > tih the archive). > I'm still not convinced how they do gain you security? The assumption that the MD5 signature and Release GPG signature isn't sufficient is that the key is stored on a machine that can be compromised. The same applies to the keyring itself, so if I can compromise one, surely I can compromise the other. Convince me :-) > The point of the excercise was that the changes files are not > available to the general public in a crisis situation like now and are > not easily available at normal times. > I'm not sure how you figure that they aren't easily available, the list.d.o archive is "easily available". That being said, I'm not objecting to putting them anywhere else either, I'm just pointing out that they are publicly available. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist?
Attachment:
signature.asc
Description: This is a digitally signed message part