Re: process to include upstream jar sig in Debian-generated jar

To: debian-security@lists.debian.org
Subject: Re: process to include upstream jar sig in Debian-generated jar
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Thu, 29 Aug 2013 12:43:55 -0400
Message-id: <[🔎] 521F7A4B.3070006@at.or.at>
In-reply-to: <[🔎] 596f72a8-10b8-11e3-86b0-001cc0cda50c@msgid.mathom.us>
References: <[🔎] 521EC3C3.1090803@at.or.at> <[🔎] 871u5daqtb.fsf@mid.deneb.enyo.de> <[🔎] 4DEDC154-C4CC-4DED-86EC-373B760DEF04@vdberg.org> <[🔎] 521F15F3.5020406@orniz.org> <[🔎] 596f72a8-10b8-11e3-86b0-001cc0cda50c@msgid.mathom.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/29/2013 10:56 AM, Michael Stone wrote:
> On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
>> Yes but the whole thing looks weird, on one hand OP wants to include a 
>> signed jar in the package, on the other hand he says "signature could
>> be omitted if quick update is needed"… What's the point having signed
>> JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or
>> you don't use signed JAR at all…
> 
> It leaves that decision of whether to run with the unsigned jar up to
> the user. I think this is a reasonable solution if it works in practice,
> and is similar in concept to what the openssl folks have done for FIPS
> validation.
> 
> Mike Stone
> 

Another idea is that it provides a public record of whether the upstream jar
matches the Debian jar, which is guaranteed to be built from source.  This
could then serve as a verification that the upstream jar did not have code
injected into it that is not in the source tarball.

One example of a worry of how this might happen is if a governmental agency
issues a secret order to implant a back door in said app.

.hc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSH3pGAAoJEJ8P5Yc3S76BTXIP/inFL/bFGLOb6dAWvBwGmjxZ
VW++aWVd1tr9YUMR7n6EEcbrswmi6pg2PnezPekijIe/+VyfrL7YrKOGZ+HfAwOX
S3XlkrKYs0s/cTQHG6WGEFVWBnbISjQ0MT5YDLea8U/dK8x1tLbbi+ZruC/NDXqS
ruJSDSfcPFFHvNNwpqIHLDoTSzLe3iAX7HpLPmWjCzj3Wxtl8UzPElmQ72nlggfH
SgNoj0zovnSmUNpd36Uu+CIj5IZZr/Eu6Nrxcw/onKshvl2itSmOqc+SR4cvFvpU
P0b4xhzAItnkyfFzNtGxeFQGH/K81Vek1hu0/rblMFbwpPqzL9dMHB/PwIB6hXP8
6gbzGycupGV8ojX/X3QO+ws87Y1YCiiHkcsUcBRa26pRehv815gPZinNDU8GPxgK
JTAv8B2cVa/wxyZvCXUMGGjbvJ988/RhkcFh/r3/DEdM6RZ4bjd7z+afSxBvUTFg
cR6/7OEGWb926Q3U19NXPLw1bg8B3Yfbm6og6BTtozi6ljNwqVa9Hf29yRLxSp/C
U8K5vKt40UkwNi7yd5IKLXYQbTbtRuddU0vV7/ek/hsKZ0xgkZ7a4bnR5U9Ta0DG
8odIhg6mlY3u+iq7rLEbWq5KV2jlJeX5qXRwCWd9CGbRz8upLcSqRxHBtWnggW2R
q83YDbYWKqapQ/HWoUpA
=W0To
-----END PGP SIGNATURE-----

Reply to:

References:
- process to include upstream jar sig in Debian-generated jar
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Richard van den Berg <richard@vdberg.org>
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Sébastien Le Ray <beuss@orniz.org>
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: process to include upstream jar sig in Debian-generated jar
Next by Date: Re: [SECURITY] [DSA 2746-1] icedove security update
Previous by thread: Re: process to include upstream jar sig in Debian-generated jar
Next by thread: Re: process to include upstream jar sig in Debian-generated jar
Index(es):
- Date
- Thread