Re: bits from the release team

[Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>]

Joey Hess <joeyh@debian.org> writes:

> Goswin von Brederlow wrote:
>> Having the key in the debian-keyring package was a nice idea but
>> ultimatly useless. Sarge users can't fetch the new etch keyring
>> package because the signature doesn't match and the signature doesn't
>> match because the sarge keyring doesn't have the key. Fun fun fun.
>
> Er, sarge doesn't have secure apt so that problem doesn't exist. Also,
> secure apt allows you to install packages that don't have a trust path.
>
> FWIW, I consider this issue solved by the debian-archive-keyring,
> only issue I know if is that upgrades have to manually upgrade it before
> upgrading apt.

Once you update apt it does. That is when you notice that suddenly you
need the key for authentication.

Also on every key upgrade you have to install an untrusted package.
That kind of takes the point out of the secure part. An attacker just
has to wait to next new year and then smuggle in his own key onto a
debian mirror. Most users will not notice the swap.


Not to mention that any inofficial apt archive is left out in the
rain. Do you expect every archive to have their own keyring package?
What about being "universal"? :)

> -- 
> see shy jo

MfG
        Goswin