[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Time for apt-secure?

Michael Stone wrote:
Where did you get the new key?

There was no new key. The 3.0r1 release used the 2002 master, whereas the 3.0r2 uses the 2003 master, which has been in use for security for a long time already.

How did you verify it?

From my perspective, the 2003 master key has an established trust history.

Are you aware of how the archives are signed?

Vaguely. As someone else on the list also pointed out, the term "archive" as used in this context for Debian is very unintuitive.

Are you aware of how the packages are built?

Again, vaguely. But I assume that it does involve some signing stuff that the developers do not necessarily verify themselves. I do assume that signatures are made manually, not automatically. I may well be wrong here. :)

The signature mechanism will protect against a compromised mirror
but not against a compromised archive.

The primary threat from my perspective is against mirrors. I use them to download stuff, and I want to make sure that it is the same stuff that was distributed from the Debian masters. I have made the (unwarranted) assumption that the "back-end" process is secure enough, so the primary threat is the numerous mirrors.

As it turns out that doesn't appear to ahve happened, but the apt-secure
> method is insufficient to demonstrate that.

Yes, I can see that. Regardless, apt-secure does bring added value. How much added value depends on how the keys are used. The next time the problem might hit the distribution chain, and at that point I sure wish apt-secure is in use.

Camillo Särs <+ged+@iki.fi>              **  Aim for the impossible and you
<http://www.iki.fi/+ged>                 **   will achieve the improbable.
PGP public key available                 **

Reply to: