Re: apt 0.6 and how it does *not* solve the problem
martin f krafft <firstname.lastname@example.org> writes:
> So I guess this email isn't about APT 0.6, which does what it should
> and does so well. It's more about the dangers of having 1000 keys
> allowing write access to the archive, and noone capable of
> playing sheriff with the size of the project anymore.
I think this is a real problem. I would quibble with your estimate of
its likelihood, but that doesn't really matter. (And I don't know
what "incredulously high" means--check your dictionary--"incredulous"
is not a synonym of "incredible".)
Start off with the assumption that we can trust real developers. If
we cannot, then all bets are off.
So the problem reduces to: how do we catch the case where an inactive
or inattentive developer's key is snagged to do trojan uploads?
You are right that it is possible to sneak in NMUs in such a way that
the maintainer doesn't see them. But *someone* sees them. It seems
entirely reasonable to me to track maintainer changes and NMUs, and
when they occur, to do some things to make sure that they come to the
attention of someone known to be reasonable.
I have some ideas about how this could be done.
> I think, adding package signatures will actually make Debian less
> secure than it was before, although it's doubtful that the average
> user will notice or care.
How can it make it less secure? The package signatures raise the bar
for an attacker. They do not eliminate all problems, but they close
off one whole area of compromises. And--I would suggest--they do not
create false security, because they close off the easier attacks. So
all the people who can accomplish the easy attack but not the hard one
are successfully stopped by package signature checking.