Re: apt in experimental (Re: APT 0.6 migration -- second status report)

To: debian-devel@lists.debian.org
Subject: Re: apt in experimental (Re: APT 0.6 migration -- second status report)
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Thu, 05 May 2005 01:12:19 +0200
Message-id: <[🔎] 87u0lioab0.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 20050504220842.GB29865@alcor.net> (Matt Zimmerman's message of "Wed, 4 May 2005 15:08:42 -0700")
References: <873bvs6swo.fsf@deneb.enyo.de> <[🔎] 87acnb16lw.fsf@deneb.enyo.de> <[🔎] 20050504154118.GA5874@rollcage.inittab.de> <[🔎] 20050504190526.GU29865@alcor.net> <[🔎] 874qdipxp9.fsf@informatik.uni-tuebingen.de> <[🔎] 20050504204430.GY29865@alcor.net> <[🔎] 87y8auoe1y.fsf@informatik.uni-tuebingen.de> <[🔎] 20050504220842.GB29865@alcor.net>

Matt Zimmerman <mdz@debian.org> writes:

> On Wed, May 04, 2005 at 11:51:21PM +0200, Goswin von Brederlow wrote:
>
>> Matt Zimmerman <mdz@debian.org> writes:
>> > In mainline, there is a facility for adding new keys to the keyring by
>> > updating the apt package.
>> 
>> Which can't be done (savely) if the key is compromised or expires
>> before the update (like it does every year).
>
> If the key is compromised, we lose, no matter what we do.
>
> I recommend that we create keys which will not expire before the next
> release.
>
> -- 
>  - mdz

How about this:

Each distribution key gets signed by X+Y DDs in the current (stable)
keyring. On key updates the new key is checked and if X of those
signatures are still valid and the key is newer than the existing one
then the key is accepted as new key.

Keeping X reasonably large ensures that a compromised key (or two or
three) can't be used to smuggle in an fake archive key.

Keeping Y large ensures a new key can still be checked and accepted.

The timestamp of the key and signatures should be checked to prevent
undoing a key update by rolling in an old, compromised key.

All of this should be wrapped in something like "apt-get update-keys" and
mentioned in the error message when Release.gpg fails the check.

Or, even better, have apt-get update download a Release.keys and
verify through the above procedure automatically.

MfG
        Goswin

Reply to:

References:
- APT 0.6 migration -- second status report
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: APT 0.6 migration -- second status report
  - From: Norbert Tretkowski <tretkowski@inittab.de>
- apt in experimental (Re: APT 0.6 migration -- second status report)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apt in experimental (Re: APT 0.6 migration -- second status report)
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: apt in experimental (Re: APT 0.6 migration -- second status report)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apt in experimental (Re: APT 0.6 migration -- second status report)
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: apt in experimental (Re: APT 0.6 migration -- second status report)
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: apt in experimental (Re: APT 0.6 migration -- second status report)
Next by Date: Re: Should Debian use lsb init-functions?
Previous by thread: Re: apt in experimental (Re: APT 0.6 migration -- second status report)
Next by thread: Re: apt in experimental (Re: APT 0.6 migration -- second status report)
Index(es):
- Date
- Thread