Re: Facilitating external repositories
]] Wouter Verhelst
> On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote:
> > ]] Wouter Verhelst
> > > Having said that, I do agree with you that we should not allow just
> > > about anyone to create a repository which will be automatically trusted
> > > by the whole Debian system. Establishing such a trust chain should,
> > > indeed, require some vetting by at least one Debian Developer, so that
> > > malicious packages can be rejected, if needs be.
> > I've always been a bit unhappy about the idea of using keys to decide
> > which repositories are trusted or not. The signature is there primarily
> > to act as an anti-MITM tool. This is a bit similar (or maybe
> > equivalent) to the difference between authentication and authorization
> > for access control.
> What would you suggest instead?
With our current setup? I don't really know, I think we'd need to add
some more information to some files.
Currently, there's no binding between an apt repository as listed in
sources.list and the corresponding key. There is also no link between
an apt repository and allowed packages from that repository.
I could see us extending the apt preferences format to be something
Allowed-Keys: 2B90D010, C857C906, 518E17E1
Allowed-Keys: ABCD, EF12, 1234
Default priority for an unlisted package is < 0 (so can't be
installed). We should probably use fingerprints and not short key ids
for the allowed-keys field (and we need something to manage them when
doing dist-upgrades and such).
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are