Re: Makeing Debian more secure - sign binaries with elfsign?

To: Andrew Pollock <apollock@debian.org>
Cc: debian-qa@lists.debian.org
Subject: Re: Makeing Debian more secure - sign binaries with elfsign?
From: Andreas Kotes <count-debian@flatline.de>
Date: Mon, 3 May 2004 02:11:48 +0200
Message-id: <[🔎] 20040503001148.GD7437@aleph.flatline.priv>
In-reply-to: <[🔎] 20040502235515.GC13265@daedalus.andrew.net.au>
References: <20040430132559.GD32471@aleph.flatline.priv> <[🔎] 20040502233235.GA13265@daedalus.andrew.net.au> <[🔎] 20040502234901.GB7437@aleph.flatline.priv> <[🔎] 20040502235515.GC13265@daedalus.andrew.net.au>

Heya,

* Andrew Pollock <apollock@debian.org> [20040503 01:58]:
> On Mon, May 03, 2004 at 01:49:01AM +0200, Andreas Kotes wrote:
> > * Andrew Pollock <apollock@debian.org> [20040503 01:36]:
> > > On Fri, Apr 30, 2004 at 03:25:59PM +0200, Andreas Kotes wrote:
> > > > What do you think? Signed binaries instead of tools like tripwire or
> > > > aide et all?
> > > 
> > > Sounds interesting. How does elfsign go with prelinking?
> > 
> > I've got no idea, and no experience with prelinking. Perhaps you want to
> > try?
> 
> Heh, I don't know much more, just that prelinking busts the checksum of a
> binary. I've had a quick look at the licence, and I think it's currently
> unsuitable as DFSG-free, but I just dropped the upstream maintainer an email
> asking him if he'd like to relicense it (the GPL would serve the same
> purpose as his current licence I think).

sounds good to me ...

> I'm not sure how elfsign would work in Debian's build environment. It would
> make sense to have source-only uploads, and the buildds sign the binaries as
> part of the build process. It's a shame it's using X509 certificates instead
> of PGP/GnuPG.

this might be due to the fact that g10 (the API of gnupg) plainly sucks.
big time. why do you think everybody is calling it as an external
binary? *sigh* ..

the world (tm) would need a libopenpgp or something like that - or PGP
support in openssl, for that matter. but getting rid of openssl would be
worthwhile, too .. the API isn't too great, but it gets the job done.

Let's see what Fefe will be coming up with, he started thinking about a
libtinyssl - and I've been thinking about doing libopenpgp for a while.
are there any interested parties who's like to join and help coding or
who would pay some of the time it takes to get it done? There just isn't
enough spare time left after one does what one has to do for a living ..

.. but I'm quite sure that's a common problem - so, if there are
companies out there willing to sponsor fulltime Debian maintainers, step
forward! :)

Kind regards,

   Count

P.S: btw, regarding x509 - is there a Debian CA?

-- 
Andreas Kotes - PGP 0x8F94C228 - The views expressed herein are mine!  ,''`.
Follow the path of the unsafe, independent thinker. Expose your ideas : :' :
to the danger of controversy. Speak your mind and fear less the label `. `'
of "crackpot" than the stigma of conformity. (Thomas J. Watson)         `-

Reply to:

Follow-Ups:
- Re: Makeing Debian more secure - sign binaries with elfsign?
  - From: Andrew Pollock <apollock@debian.org>
- Re: Makeing Debian more secure - sign binaries with elfsign?
  - From: Gerrit Pape <pape@smarden.org>

References:
- Re: Makeing Debian more secure - sign binaries with elfsign?
  - From: Andrew Pollock <apollock@debian.org>
- Re: Makeing Debian more secure - sign binaries with elfsign?
  - From: Andreas Kotes <count-debian@flatline.de>
- Re: Makeing Debian more secure - sign binaries with elfsign?
  - From: Andrew Pollock <apollock@debian.org>

Prev by Date: Re: Makeing Debian more secure - sign binaries with elfsign?
Next by Date: Re: Makeing Debian more secure - sign binaries with elfsign?
Previous by thread: Re: Makeing Debian more secure - sign binaries with elfsign?
Next by thread: Re: Makeing Debian more secure - sign binaries with elfsign?
Index(es):
- Date
- Thread