Re: PATCH: package verification in dpkg

To: Jason Gunthorpe <jgg@debian.org>
Cc: debian-dpkg@lists.debian.org
Subject: Re: PATCH: package verification in dpkg
From: Ben Collins <bcollins@debian.org>
Date: Fri, 9 Mar 2001 23:08:42 -0500
Message-id: <[🔎] 20010309230842.A262@visi.net>
In-reply-to: <[🔎] Pine.LNX.3.96.1010309204053.6894F-100000@wakko.deltatee.com>; from jgg@debian.org on Fri, Mar 09, 2001 at 08:58:26PM -0700
References: <[🔎] 20010309223621.W2022@visi.net> <[🔎] Pine.LNX.3.96.1010309204053.6894F-100000@wakko.deltatee.com>

On Fri, Mar 09, 2001 at 08:58:26PM -0700, Jason Gunthorpe wrote:
> 
> On Fri, 9 Mar 2001, Ben Collins wrote:
> 
> > > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > > 'all packages are signed by one of these 800 keys' :P
> > 
> > That's why the package should also get signed by the same dinstall key
> > that signs the release sig :P
> 
> Debian can't do that because of our mirror network.

Why not? I'm not saying anything about doing release sigs in a package,
I am saying to sign a deb by dinstall as it passes through it and gets
installed on the archive. Let's not keep bringing up this non-existent
proposal to sign debs en masse for releases.

> > Of course, which is why I said that the two compliment each other.
> 
> If you really think that then let debsigs handle the things it is good at
> and focus on that. I don't think the current dpkg patch has that kind of
> focus.

Of course it does. It verifies a package signature. What is not focused
about that?

> > other picks up. It's not a competition Jason, it's a cooperative effort
> > here. No one is trying to step on any toes.
> 
> I have consistently maintained the viewpoint that deb signatures allow
> fine grained, highly paranoid security checking when used by a skilled
> user. What I dispute is that they can be automated for use by Debian and
> realize anything but a minor security increase. To me this dpkg patch in
> its current form is exactly that sort of automation and I think it gives a
> bad impression to our users. 

What you dispute is the lack of a policy to automate it. That policy
(and by policy I mean adopted by the archive and package tools) has yet
to be done, and is needed for the end result to be in a state that you
say it isn't. It's a matter of time, which is why the patch was added to
a CVS branch which will be in development for some time. It's not like
this will be uploaded tommorrow, or even for woody.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

References:
- Re: PATCH: package verification in dpkg
  - From: Ben Collins <bcollins@debian.org>
- Re: PATCH: package verification in dpkg
  - From: Jason Gunthorpe <jgg@debian.org>

Prev by Date: Re: PATCH: package verification in dpkg
Next by Date: Re: PATCH: package verification in dpkg
Previous by thread: Re: PATCH: package verification in dpkg
Next by thread: Re: PATCH: package verification in dpkg
Index(es):
- Date
- Thread