On Mon, 31 May 2010 06:42:57 +0200 Christian PERRIER <bubulle@debian.org> wrote: > Quoting Klaus Ethgen (Klaus@Ethgen.de): > > cause of the recent umask disaster I decided to start a repository for > > packages which are insecure in debian distribution. and which are hosted in an unverifiable repository. Hmmm. At the very least, the public key should be available on the server itself and it should preferably be in an archive-keyring package in Debian. e.g. emdebian-archive-keyring and http://www.emdebian.org/packages/keys.html > > You can find this repository at ftp://ftp.ethgen.de/pub/debian-security > > (deb ftp://ftp.ethgen.de/pub/debian-security sid unofficial-secured). > > This repository holds secured packages of the insecure debian packages > > just without the insecure patch (or the insecurity patched). The full > > sources are available to build. At the moment the repository holds > > base-files, openssh and procmail. > > Is this repository signed by a key? gpgv: Signature made Sun 30 May 2010 19:01:45 BST using RSA key ID D1A4EDE5 gpgv: Can't check signature: public key not found > Where is that key available? I assume it's this one: pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <(E-Mail Removed)> Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B I found a listing of it in the Google cache but keyserver.kjsl.com appeared to be down and subkeys.pgp.net didn't report having that key. (I since imported it from the ASCII and added it to subkeys.pgp.net but with the current unreliability of keyservers, that didn't appear to help much. keys.gnupg.net does have it.) > By who is this key signed? Found it on pgp.net.nz also: http://pgp.net.nz:11371/pks/lookup?op=vindex&search=0x9F8E2A98D1A4EDE5 There are some signatures there which I recognise, Peter Palfrader being the most obvious to me. > Are there people around to speak and guarantee that the repository > owner is not providing malicious packages through this "secured" > repository? > Don't take be wrong. I don't question your honesty even though I > certainly do question the technical arguments you brought in this > thread and the way you did it (the umsak 'disaster'). But calling a > private repository "secured" is certainly something that is very > highly debatable. > > Unless the packages you provide are inspected by the same web of trust > that lives around the official Debian repository, I think that > potential users should definitely be warned that they're using it at > their own risk (the same stands for any private repository, of course, > including those I manage myself...:-)). I would question the safety / reliability of using a repository that forces the creation of Packages and Sources and Release files by hand instead of using a reliable, reproducible tool like reprepro. The site even includes the Makefile that shows the hacks used to make the repository files. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpQVm_peKSIk.pgp
Description: PGP signature