Re: improving downloader packages (was: Re: holes in secure apt)
* Christoph Anton Mitterer <firstname.lastname@example.org>, 2014-06-16, 19:50:
Thomas mentioned that things would have been more secure if the buildds
and e.g. pbuilder pulls in debian-keyring automatically and verify
debian-keyring is not useful for automatic authentication of source
packages. The source package could have been signed years ago by a
person who is no longer a DD. Or signed with a key that has been just
replaced with another one. Or signed with a key that's not yet shipped
in the package.
Incidentally, this is how I discovered this bug. A friend of mine (hi,
Marcin!) wondered how he can authenticate a source package that was
signed by a key that is not included in debian-keyring. I ensured him
that there's nothing to worry about, as apt takes care of this, but he
remained skeptical. So I started playing with mitmproxy...
 And his skepticism was reinforced by (independent) discovery of this