[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

>>>>> "Thiemo" == Thiemo Seufer <ths@networkno.de> writes:

    >> Well, even if I know naught about it, it looks to me that having
    >> something signed is better than having the same something not signed.

    Thiemo> Sorry, but that's a snake oil rationale.

A: Why do you lock your car up[1]?

B: Because it looks like having it locked is better then not having it
locked.

A: Sorry, but that's a snake oil rationale. Anybody can pick the lock
and break in. Anybody can smash a window and break in. etc.

However, we still lock our cars regardless.  We still lock our
houses. We still use signatures and ID cards (all of which can be
forged) as protection to keep our money safe.

The reason why? Because we have just made it more difficult (or so we
hope!) for somebody to break in. We still consider this a worth while
compared with the added inconvenience of having to maintain the
additional security (e.g. keep the key safe and not lost). Despite the
fact we all know it is not absolute security.

It is also feasible. Yes, you could hire a security guard to watch
your car 24 hours a day, but that is likely to cost more then the car
is worth. Most people don't consider their cars to be this important.

I think the same thing applies here - sure somebody could interfere
with the system and either steal the private key or get a package
signed that shouldn't be signed, but if you really want to argue along
these lines, I think we remove all signatures everywhere, because the
possibility exists any one of these could be "forged" (especially as
Debian cannot guarantee that every maintainer keeps their private key
secure, and that their build systems are secure, etc).

So just saying "its snake oil" isn't really saying anything IMHO,
because taken to an extreme all security we have in this world *is*
snake oil. Sometimes it works. Sometimes it doesn't work. That doesn't
mean we shouldn't try to improve it as much as possible.

The only exception I would make is when "improvements" mean extra
"security" for political/red tape reasons which do nothing to stop the
weaknesses they are meant to stop, but instead serve to make our
politicians looks good as well as giving them more income.

However, I think the ability to trace a Debian binary package to its
source, even if the original .changes file is no longer available, is
a definite advantage, and is not any less reliable or secure then
using the original .changes file for the same purpose. In fact, you
could argue it is more secure then the "Received" headers everyone
relies on to trace SPAM (which have no cryptographic signature).

I also believe that the threat of somebody being tricked into
installing a Trojan package is a very real possibility, and we should
do everything we can do to aid our users prevent this from happening.


Notes:

[1] Assuming you have a car, if not replace the words "car" and "lock"
with something more appropriate.
-- 
Brian May <bam@debian.org>
Reply to: