Re: process to include upstream jar sig in Debian-generated jar
- To: debian-security@lists.debian.org
- Subject: Re: process to include upstream jar sig in Debian-generated jar
- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Sun, 01 Sep 2013 12:36:59 +0200
- Message-id: <[🔎] 87wqn0vnec.fsf@mid.deneb.enyo.de>
- In-reply-to: <596f72a8-10b8-11e3-86b0-001cc0cda50c@msgid.mathom.us> (Michael Stone's message of "Thu, 29 Aug 2013 10:56:30 -0400")
- References: <521EC3C3.1090803@at.or.at> <871u5daqtb.fsf@mid.deneb.enyo.de> <4DEDC154-C4CC-4DED-86EC-373B760DEF04@vdberg.org> <521F15F3.5020406@orniz.org> <596f72a8-10b8-11e3-86b0-001cc0cda50c@msgid.mathom.us>
* Michael Stone:
> On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
>>Yes but the whole thing looks weird, on one hand OP wants to include a
>>signed jar in the package, on the other hand he says "signature could be
>>omitted if quick update is needed"… What's the point having signed JAR
>>if unsigned JAR is legitimate too? Either you ban unsigned JARs or you
>>don't use signed JAR at all…
>
> It leaves that decision of whether to run with the unsigned jar up to
> the user.
How so? The code that performs the signature check (or reports the
failure) relies on bits that we (Debian) ship. It's impossible to
bootstrap trust, unless you already trust Debian.
Repeatable, fully deterministic builds are certainly interesting (not
just because of security or trust issues), but this signature check is
rather strange.
> I think this is a reasonable solution if it works in
> practice, and is similar in concept to what the openssl folks have
> done for FIPS validation.
That's quite different because those who built the binaries also
compute the hashes, and not the OpenSSL folks.
Reply to: