On Fri, Nov 25, 2005 at 02:57:36PM +0100, Goswin von Brederlow wrote: > Steve Langasek <vorlon@debian.org> writes: > > On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote: > >> > That's easy: you trust the Packages file to be correct when using apt, > >> > and it's not verified at all by per-package signatures. > >> In what way trust and how does that change anything? > >> At best you can prevent a newer version of a package to appear in the > >> Packages file by compromising it. You can't subvert a package itself. > >> But you can already ship yesterdays Release.gpg, Release and Packages > >> file to a user and thereby prevent any updates. > >> On the other hand, without package signatures ftp-master adds a > >> vulnerability. You can hack into it, replace debs, recreate the > >> Packages, Release and Release.gpg file and thereby infect users. With > >> signed debs that could still be detected by every user in apt-get. > > Only if every user is in a position to verify signatures from each Debian > > developer individually, which is completely unrealistic. > Up to a point you can trust the keyring. As much as you can trust any > DD signature. You try to argue that signatures are not absolutely > trustworthy but that is nothing new. I'm arguing that a 5-hop-long signature chain to establish the validity of a Debian package is as good as useless, and worse if the user doesn't understand this. And a 5-hop-long signature chain does *not* mean that anyone in that chain trusts the person holding the key on the end to upload packages to Debian. The only thing we have that establishes *that* is the presence of the user's key in the Debian keyring, so then you have the logistical problem of how arbitrary users are supposed to verify whether a given key is in the keyring. The debian-keyring package doesn't get updated every time there's a key added or removed, and the web interface to keyring.debian.org doesn't provide any cryptographic assurances. Oh, and BTW, check the IPs of ftp-master.debian.org and keyring.debian.org... -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature