Re: Rebuilding packages on *all* architectures
Javier Fernández-Sanguino Peña <jfs@computer.org> writes:
> [2] Actually, signing releases is not the correct way since auto-bulders
> run sid and sid is not a signed release. Apt 0.6 might support signed
> releases but I will not prevent some of the attacks Goswin described.
All packages should be signed by the autobuilder itself with a buildd
key. The changes file should also be signed before mailing.
Other steps in the chain should then add signatures on top of that (is
that possible for changes files?). With that I mean the buildd admin
and katie.
The buildd signature would say where the package was build and that it
was not modified after that. The buildd admin signature is needed to
have a human hand in it (otherwise a stolen key would collaps
everything) and to validate the buildd. And last but not least the kati
signature would validate the buildd and admin signatures and provide a
quick way to check without needing the full up-to-date keyring.
Currently we have the buildd admin signature in the changes files and
katies signature in the Release file. But between the buildd and the
admin there is a gap and between the admin and katie. Debian has some
trust points but they are not quite chained together yet.
Tools like the new apt or debsig-verify certainly go in the right
direction.
MfG
Goswin
Reply to: