Re: dpkg-sig support wanted?
Steve Langasek <vorlon@debian.org> writes:
> On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
>
>> > That's easy: you trust the Packages file to be correct when using apt,
>> > and it's not verified at all by per-package signatures.
>
>> In what way trust and how does that change anything?
>
>> At best you can prevent a newer version of a package to appear in the
>> Packages file by compromising it. You can't subvert a package itself.
>> But you can already ship yesterdays Release.gpg, Release and Packages
>> file to a user and thereby prevent any updates.
>
>> On the other hand, without package signatures ftp-master adds a
>> vulnerability. You can hack into it, replace debs, recreate the
>> Packages, Release and Release.gpg file and thereby infect users. With
>> signed debs that could still be detected by every user in apt-get.
>
> Only if every user is in a position to verify signatures from each Debian
> developer individually, which is completely unrealistic.
Up to a point you can trust the keyring. As much as you can trust any
DD signature. You try to argue that signatures are not absolutely
trustworthy but that is nothing new. Nothing you can do will change
that. What you fail to see (or say) is that all the security Debian
already has is weak in exactly the same way. The difference to signed
debs is the transparency and triviality to check. Even if that check
has to use a 5 hop trust path to some DD you never met.
Also for !i386 !ppc basicaly all packages are autobuild and will be
signed by a handfull of people. You can go and meet them easily
enough.
Further, with signed debs, you could only allow installation of debs
from people you trust and recompile all the rest after a source
audit. If you are that paranoid.
MfG
Goswin
Reply to: