[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 and how it does *not* solve the problem

martin f krafft wrote:
 > Debian did not have package signatures for years, and it's been
rarely a problem. Now we are going to add them, but the sole effect
is that of a false security feeling. To me, APT 0.6 is snake oil,
which is *not* an offence to the guys behind apt-secure. It's
a criticism of the organisation as a whole, and it's a rant without
a solution that I can propose.

I think, adding package signatures will actually make Debian less
secure than it was before, although it's doubtful that the average
user will notice or care.

I'd be interested to hear your thoughts.

Seems like you have some reasonable points. As far as a solution, perhaps some sort of ongoing DD criteria (1)? I'm just sketching out ideas hear, but what about something along the lines of:
 * DD must upload at least once a year
* Some sort of web based test to make sure people care and know about gpg 'key-man-ship', or other knowledge areas? (To bring people upto speed on new areas in Debian, like when cdbs came in)
 * Some combination of these or others.

There is an elaborate system to maintain quality in new Debian developers (which seems like a good idea to me). Why not have some sort of system for ensuring the quality in continuing DD? If a DD didn't meet the criteria they would go into an inactive list, and if they stayed in the inactive list for 3 months, would go into the retired list, and their gpg keys _somehow_ invalidated. Is it possible on a gpg key server to mark a key as invalid, with out access to the private key?

(1) I'm not a DD.

Reply to: