[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release.gpg files gone?

Hi Matt,

sorry about the long delay in this thread. I'd also like to apologize in
advance for being a nuisance, but apparently there are no other volunteers :).

Matt Zimmerman wrote on 18.01.2004 [Re: Release.gpg files gone?]:
> On Sun, Jan 18, 2004 at 06:30:11AM +0100, wopp@parplies.de wrote:
> 
> > If you use apt-secure, this will make 'apt-get update' fail to download
> > the Packages files (correctly, because the authenticity of the contents
> > cannot be verified), meaning you (well, I :-|) could not download packages
> > from woody.
> 
> This may have been the case with apt-secure, but this functionality is now
> merged into apt 0.6 (currently in experimental) in a different way which
> does not prevent downloads of unauthenticated packages altogether.  Instead,
> it requires confirmation.

While this may solve the problem you quoted, this was actually not my point
of interest, and I'm a bit surprised that obviously nobody shares my worries.

To reiterate:

I wrote on 18.01.2004 [Re: Release.gpg files gone?]:
> curiously, http://ftp-master.debian.org/ziyi_key_2004.asc contains key
> 0x1DB114E0 whereas the key-servers seem to contain key 0x63EFD949

Point 1:
There seems to be an incorrect key for ftpmaster@debian.org on the key
servers. Am I misinterpreting something? Is this not alarming? At the least:
where do I find the authoritative information on what key is the correct one?
I doubt many of us have met ftpmaster@debian.org personally, so how is the
web of trust supposed to work, supposing noone signs that key?

I remember reading something about the keyservers not being able to
correctly handle subkeys, but I believe this is not the source of this
confusion, though I would be relieved to find out that I am wrong :).

I am using gnupg 1.2.1-2 btw., which seems to be a sarge or sid download
which installed under woody without dependency problems.

Point 2:
> If ziyi_key_2003 (0x38C6029A) was replaced by ziyi_key_2003v2 (0x30B34DD5)
> after the server compromise, this indicates some concern that the private key
> may have been exposed. Would it then not be MANDATORY to re-sign all Release
> files with 2003v2 (or 2004 now)? After all, a signature with v1 provides NO
> security - either that or the replacement of the key was unnecessary.

With other words: woody's Release files are currently signed with a
potentially compromised key that has in any case expired. There is therefore
currently no way to verify the integrity of woody packages. I'm not looking
for a way to install unverified packages, I'm asking that the packages be
re-signed, or at least for an explanation why that is not deemed necessary.

Is that too much to ask? Is it that complicated? Am I asking in the wrong
place?

Regards,

Holger

Attachment: pgpUBMVVN9ZgC.pgp
Description: PGP signature

Reply to: