Re: Announcement: APT Secure

To: debian-security@lists.debian.org
Subject: Re: Announcement: APT Secure
From: Jason Lunz <lunz@falooley.org>
Date: Tue, 1 Jul 2003 14:46:30 +0000 (UTC)
Message-id: <[🔎] slrnbg37n3.lk3.lunz@stoli.localnet>
References: <Pine.GSO.4.40.0306261226370.3633-100000@deneb.cc.umanitoba.ca> <slrnbfokc5.836.lunz@stoli.localnet> <20030629183947.GO3922@alcor.net> <slrnbg0ok2.rr.lunz@stoli.localnet> <[🔎] 20030701003506.GD15769@alcor.net>

mdz@debian.org said:
> That answer is pretty easy to find, too.  Look at the description of the
> debian-keyring package.

"The Debian project wants developers to digitally sign the announcements
of their packages with GnuPG, to protect against forgeries. This package
contains keyrings of GnuPG and (deprecated) PGP keys of developers."

Read literally, I guess you're saying the archive key isn't in there
because it's not a developer's key.

More broadly, though, if one of the goals of debian developers using gpg
keys is "to protect against forgeries", and debian-keyring contains
their keys to further this goal, and apt-secure is a further advancement
of this same goal, then wouldn't debian-keyring be a logical way to
distribute the archive's public key?

Distributing the key this way would be akin to the way ssl CA
certificates are distributed via the ca-certificates package. It's not
perfect, but it's better than downloading the public key from the first
hit your google search turns up. At least when it's distributed with the
OS, you can compare your installed version with the one on an old CD or
something.

Jason

Reply to:

References:
- Re: Announcement: APT Secure
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: OT: An Idea for an IDS
Next by Date: port forwarding issues
Previous by thread: Re: Announcement: APT Secure
Next by thread: Re: Announcement: APT Secure
Index(es):
- Date
- Thread