Re: improving downloader packages (was: Re: holes in secure apt)

[Jakub Wilk <jwilk@debian.org>]

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-16, 19:50:
> Thomas mentioned that things would have been more secure if the buildds 
> and e.g. pbuilder pulls in debian-keyring automatically and verify 
> maintainer signatures.

debian-keyring is not useful for automatic authentication of source 
packages. The source package could have been signed years ago by a 
person who is no longer a DD. Or signed with a key that has been just 
replaced with another one. Or signed with a key that's not yet shipped 
in the package.

Incidentally, this is how I discovered this bug. A friend of mine (hi, 
Marcin!) wondered how he can authenticate a source package that was 
signed by a key that is not included in debian-keyring. I ensured him 
that there's nothing to worry about, as apt takes care of this, but he 
remained skeptical[0]. So I started playing with mitmproxy...


[0] And his skepticism was reinforced by (independent) discovery of this 
bug: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738

--
Jakub Wilk