Re: Time for apt-secure?

[Camillo Särs <ged@iki.fi>]

Michael Stone wrote:
> Where did you get the new key?

There was no new key.  The 3.0r1 release used the 2002 master, whereas the 
3.0r2 uses the 2003 master, which has been in use for security for a long time 
already.

> How did you verify it?

From my perspective, the 2003 master key has an established trust history.

> Are you aware of how the archives are signed?

Vaguely.  As someone else on the list also pointed out, the term "archive" as 
used in this context for Debian is very unintuitive.

> Are you aware of how the packages are built?

Again, vaguely.  But I assume that it does involve some signing stuff that the 
developers do not necessarily verify themselves.  I do assume that signatures 
are made manually, not automatically.  I may well be wrong here. :)

> The signature mechanism will protect against a compromised mirror
> but not against a compromised archive.

The primary threat from my perspective is against mirrors.  I use them to 
download stuff, and I want to make sure that it is the same stuff that was 
distributed from the Debian masters.  I have made the (unwarranted) assumption 
that the "back-end" process is secure enough, so the primary threat is the 
numerous mirrors.

> As it turns out that doesn't appear to ahve happened, but the apt-secure 
> method is insufficient to demonstrate that.

Yes, I can see that.  Regardless, apt-secure does bring added value.  How much 
added value depends on how the keys are used.  The next time the problem might 
hit the distribution chain, and at that point I sure wish apt-secure is in use.

Camillo
--
Camillo Särs <+ged+@iki.fi>              **  Aim for the impossible and you
<http://www.iki.fi/+ged>                 **   will achieve the improbable.
PGP public key available                 **