[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Fri, 9 Mar 2001, Ben Collins wrote:

> > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > 'all packages are signed by one of these 800 keys' :P
> That's why the package should also get signed by the same dinstall key
> that signs the release sig :P

Debian can't do that because of our mirror network.

> Of course, which is why I said that the two compliment each other.

If you really think that then let debsigs handle the things it is good at
and focus on that. I don't think the current dpkg patch has that kind of
> You keep arguing as if anyone thinks that the .deb sig is trying to do
> things that the release sig was meant to do. That is not the case. Stop

You accused me of never defining "obsolete attacks". The above is the
example I have given several times.

> arguing against weak points of signing deb's compared to strong points
> of having a release sig. The two work together. Where one fails the

I did not make a value judgement, I answered your question :P

> other picks up. It's not a competition Jason, it's a cooperative effort
> here. No one is trying to step on any toes.

I have consistently maintained the viewpoint that deb signatures allow
fine grained, highly paranoid security checking when used by a skilled
user. What I dispute is that they can be automated for use by Debian and
realize anything but a minor security increase. To me this dpkg patch in
its current form is exactly that sort of automation and I think it gives a
bad impression to our users. 


Reply to: