Re: Bug#707006: [nikcub@gmail.com: Live CD keys missing from key server]
On Thu, Apr 03, 2014 at 06:44:36AM +0400, Evgeny Kapun wrote:
> 03.04.2014 00:50, Jonathan McDowell wrote:
> > Public keyservers aren't expected to provide verification of key
> > authenticity. The signatures on the keys themselves do that. The
> > Debian Live CD key is signed by Daniel, whose key is then signed by
> > many other DDs (and present in the debian-keyring package). If we
> > pushed the Live CD role key to the debian-keyring package we're
> > still assuming the user has access to a Debian box to install it and
> > then also has a proper trust path (presumably via the shasums on the
> > APT package lists and then the Debian archive signing key for those
> > package lists) to that package. If they're not using a Debian box
> > to write the live CD then none of these pieces help.
> >
> > In short putting the Live CD key in the debian-keyring package
> > doesn't demonstrably solve the problem of verifying a Live CD that I
> > can tell.
>
> Putting Live CD key in the debian-keyring package makes verification
> MUCH easier. It would be just enough to run `gpgv --keyring
> /usr/share/keyrings/debian-role-keys.gpg /path/to/SHA1SUMS.sig',
> instead of having to find a signature made by the right key.
You're making an assumption that the key on the filesystem at
/usr/share/keyrings/debian-role-keys.gpg is the right one, which relies
on a whole extra chain of trust which I referred to above.
J.
--
I'm from the tax office. I'm here to take all your money.
Reply to: