[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian upload monitor

On Thu, May 01, 2008 at 11:39:32PM +0100, Enrico Zini wrote:
> On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote:
> > I am curious how you could craft an upload that would use a key
> > (ostensibly not your own, since you would know what you are uploading
> > anyway) where you could use some random DD's key to do the upload
> > without an email going to that DD.  It seems like you would need to
> > forge the GPG signature.
> For example, you have several IDs in your key.  If I have reason to
> believe that you don't receive mail in one of them (for example, I can
> notice that a domain has expired, or I can send fake spam to all of them
> and see if one bounces), then I can use that address in Maintainer: and
> Changed-by:, and dak will mail there.
Yes, but it will also mail you at your @debian.org email since your key
was used to sign the upload.  The specific example you cite would happen
regardless if you used any non-existent or bogus email address.

> But regardless of specific examples, this is an extra, complementary
> layer of security.  The GPG key is our most important security token,
> and a way to track its usage is the least that we should have.
> Whether it belongs to QA or ftp-master, is what I'm trying to find out.
Right.  I am not really disputing the usefulness (it might be kind of
neat to be able to map Maintainer/Changed-By addresses to the key(s)
used to upload for those addresses.  I was just wondering about how it
might mean that something could be uploaded without an email going to
some DD somewhere along the way.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: