I've been giving APT 0.6 a lot of thought lately and have come to the conclusion that it is a whole lot of snake oil in the context of the Debian project as we have it. Bear with me for a second... I am not about to take the piss out of the APT 0.6 people, who have done an outstanding job. The problem is deeper... From my understanding, APT 0.6 checks MD5 sums all the way up to the Releases file[0], which is signed with the archive key. So far, so good, assuming that the local APT keyring only contains the current Debian archive key, the chain of trust ensures that any package that verifies locally was uploaded to the archive by someone in control of a trusted Debian developer key (assuming ftp-master.d.o and similar machines weren't compromised). My problem is not with the technology of APT 0.6 but rather with our project. If I may eyeball it, then we consist of 1000 developers of which about 600 are active. 300 participate half-heartedly, 70 do not anymore, and 30 have stopped caring about Debian and possibly computers altogether. In the latter case, the chance of a compromise of their GPG key is incredulously high. But even without the assumption... with 1000 keys, the chances of one being compromised are extremely high. I know that most of us actually guard the keys properly, but I am more than sure that plenty developers exist that do not know how to handle GPG keys securely (think about all the private keyrings found on gluck and other machines). So if I wanted to attack 80% of all Debian machines all over the world, I would try to compromise one of the 1000 keys, thereby getting write access to the incoming queue. Then, I could NMU a package and upload a trojaned version, best one that waits a year before activating, just to make sure I actually hit stable. Obviously, I'd take something like ssh and wait for Colin to take time off, then change the maintainer address and effectively hijack the thing to make sure Colin never sees a katie announcement. If I get the timing right, I might be able to hit the freeze time. I realise that there's a lot of stuff that has to happen for it all to work out, but I also realise that it's not impossible, despite the low chance. And that's enough for me. So I guess this email isn't about APT 0.6, which does what it should and does so well. It's more about the dangers of having 1000 keys allowing write access to the archive, and noone capable of playing sheriff with the size of the project anymore. Debian did not have package signatures for years, and it's been rarely a problem. Now we are going to add them, but the sole effect is that of a false security feeling. To me, APT 0.6 is snake oil, which is *not* an offence to the guys behind apt-secure. It's a criticism of the organisation as a whole, and it's a rant without a solution that I can propose. I think, adding package signatures will actually make Debian less secure than it was before, although it's doubtful that the average user will notice or care. I'd be interested to hear your thoughts. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature