[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: thoughts on signature verification



On Thu, Aug 08, 2002 at 01:51:50PM -0400, Ben Collins wrote:
> > Dpkg, OTOH, can't tell where a package is meant to have come from, so can
> > only do:
> > 	a) Check the signature's valid, and report who signed it
> > 	b) Expect the user to tell it which keyring to use, and check that
> > 	   the key's in that keyring (dpkg-source --from=debian -x *.dsc)
> > 	c) Check that the signature is from the "Maintainer:"
> You really need the read the debsig-verify package signing docs.

And you need to get a clue. Oh wait, I've already read them, and you
already have a clue. Why're we insulting each other, again?

> In fact, anything can tell with a good bit of security, just where a
> package came from. 

No, it can't. When you've got something that's both feasible and secure
*at the same time* this might be worth discussing, but you don't, so it's
not. We've been over this again, and again, and again. The signing policy
included in the debsigs package is *completely irrelevant* for Debian.

> (note, the URL you download it from is not a
> security measure, especially considering lots of people have local
> mirrors, or hand-downloaded packages).

The URL you download it from *is* a security measure: if you're
downloading something from Blackdown you expect it to be Java related and
to have been signed by Blackdown -- and if it's not you probably should
start wondering what someone's trying to do. Dpkg has no possibility of
automatically checking this (since you might've downloaded it using wget,
eg), Apt does (since it does the downloading itself).

This isn't a flaw that needs a spirited defense, it's just a fact.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Attachment: pgpQFZy8ka9jH.pgp
Description: PGP signature


Reply to: