[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

Hash: SHA512

On 31-05-14 12:55, Patrick Schleizer wrote:
> Joey Hess:> [...] there are situations where
>> debootstrap is used without debian-archive-keyring being
>> available, [...]
> Please elaborate, which situations are these?
Let me answer this: using debootstrap on non-Debian systems, a
scenario likely to become more frequent with Debian running in Linux
containers (LXC).

However, caveats apply in these scenarios, I will illustrate one way
to think about this - if not just to gather feedback (it applies not
only to LXC/VMs but in general for the case of spawning new Debian

1) you have a Debian CD that you have verified being authentic thanks
to your web of trust, this will be the system you trust most with
trust level T0. Let's say you got it from the warm hands of your
favourite DD and you are jealously storing it away as good wine
2) you are running a non-Debian system as host, let's say you have a
trust level Tx on this operative system (it can be anything, but also
3) using debootstrap *without* a trust path to get the archive signing
keys is enough of a mistake, in this case drinking the HTTPS cool-aid
doesn't fix the trust path e.g. you would multiply Tx by zero (APT
security != SSL CA security)
4) to overcome the problem above, you have to use your host system
(with trust level Tx) to get the archive signing keys or to get an
already "seeded" Debian chroot. I prefer the latter, thus I would
download an official CD or net install ISO (verifiable thanks to
https://www.debian.org/CD/verify), that we will label with trust level Ty
5) at this point you can continue the installation of your derived
Debian system, that will have same trust level Ty

Theorem: in absolutely no case you can create a system with a higher
trust level than its parent:

	Tx >= Ty

Let's depict scenarios where you want to achieve Ty = T0.

If at (3) you went forward without trusted archive signing keys, Ty is
0 (this covers the case Tx > Ty), so let's drop this scenario.

If your host system with trust Tx is let's say SuperSecureLinux
downloaded from malwareland, then:

	Ty >= T0 iif (if and only if) Tx >= T0

(You must trust malwareland more than or equally as Debian)

If instead your host system has trust level T0 (you installed it with
that lovely CD), then chain of trust is respected (given that you
followed [4] and not [3]):

	Tx = T0 => Ty = T0

Sorry for the pseudo logic, hope it adds positively to the
understanding & discussion.

Related threads:

Kind regards,
- --
  Giuseppe Mazzotta
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Reply to: