Re: PATCH: package verification in dpkg
On Fri, Mar 09, 2001 at 08:58:26PM -0700, Jason Gunthorpe wrote:
> On Fri, 9 Mar 2001, Ben Collins wrote:
> > > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > > 'all packages are signed by one of these 800 keys' :P
> > That's why the package should also get signed by the same dinstall key
> > that signs the release sig :P
> Debian can't do that because of our mirror network.
Why not? I'm not saying anything about doing release sigs in a package,
I am saying to sign a deb by dinstall as it passes through it and gets
installed on the archive. Let's not keep bringing up this non-existent
proposal to sign debs en masse for releases.
> > Of course, which is why I said that the two compliment each other.
> If you really think that then let debsigs handle the things it is good at
> and focus on that. I don't think the current dpkg patch has that kind of
Of course it does. It verifies a package signature. What is not focused
> > other picks up. It's not a competition Jason, it's a cooperative effort
> > here. No one is trying to step on any toes.
> I have consistently maintained the viewpoint that deb signatures allow
> fine grained, highly paranoid security checking when used by a skilled
> user. What I dispute is that they can be automated for use by Debian and
> realize anything but a minor security increase. To me this dpkg patch in
> its current form is exactly that sort of automation and I think it gives a
> bad impression to our users.
What you dispute is the lack of a policy to automate it. That policy
(and by policy I mean adopted by the archive and package tools) has yet
to be done, and is needed for the end result to be in a state that you
say it isn't. It's a matter of time, which is why the patch was added to
a CVS branch which will be in development for some time. It's not like
this will be uploaded tommorrow, or even for woody.
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` email@example.com -- firstname.lastname@example.org -- email@example.com '