[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Fri, Nov 25, 2005 at 02:57:36PM +0100, Goswin von Brederlow wrote:
> Steve Langasek <vorlon@debian.org> writes:

> > On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:

> >> > That's easy: you trust the Packages file to be correct when using apt,
> >> > and it's not verified at all by per-package signatures.

> >> In what way trust and how does that change anything?

> >> At best you can prevent a newer version of a package to appear in the
> >> Packages file by compromising it. You can't subvert a package itself.
> >> But you can already ship yesterdays Release.gpg, Release and Packages
> >> file to a user and thereby prevent any updates.

> >> On the other hand, without package signatures ftp-master adds a
> >> vulnerability. You can hack into it, replace debs, recreate the
> >> Packages, Release and Release.gpg file and thereby infect users. With
> >> signed debs that could still be detected by every user in apt-get.

> > Only if every user is in a position to verify signatures from each Debian
> > developer individually, which is completely unrealistic.

> Up to a point you can trust the keyring. As much as you can trust any
> DD signature. You try to argue that signatures are not absolutely
> trustworthy but that is nothing new.

I'm arguing that a 5-hop-long signature chain to establish the validity of a
Debian package is as good as useless, and worse if the user doesn't
understand this.

And a 5-hop-long signature chain does *not* mean that anyone in that chain
trusts the person holding the key on the end to upload packages to Debian.
The only thing we have that establishes *that* is the presence of the user's
key in the Debian keyring, so then you have the logistical problem of how
arbitrary users are supposed to verify whether a given key is in the
keyring.  The debian-keyring package doesn't get updated every time there's
a key added or removed, and the web interface to keyring.debian.org doesn't
provide any cryptographic assurances.  Oh, and BTW, check the IPs of
ftp-master.debian.org and keyring.debian.org...

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: