Re: concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner <hans@at.or.at>]

On 07/14/2014 12:31 PM, Paul Wise wrote:
> On Tue, Jul 15, 2014 at 12:24 AM, Hans-Christoph Steiner wrote:
> 
>> I agree that .deb packages should be individually signed
> ...
>> This has been discussed in the past.  I really think it is just a
>> matter of someone doing the work.
> 
> The work has been done many years ago and has been in the archive for
> ages but has probably bitrotten since apt repo signing won (mostly,
> some derivatives don't sign their repos) and now no-one uses deb
> signing (probably). The packages are dpkg-sig debsigs debsig-verify.
> 

Ah yes, I had forgotten about those.  What I'd like to see is that stuff being
integrated into the existing Debian packaging process, so that when you sign
an upload, the .deb is automatically signed as well.

One place that this will help a lot is managing completely offline machines,
like machines for running secure build and signing processes.  Right now, in
order to install a package securely on an offline machine, I have to make sure
that the apt-get cache is no older than two weeks, otherwise apt-get considers
the info expired and no longer trusted.  It make sense to have a listing of
packages and updates expire.  It does not make sense to have the signature on
an individual package expire.  Debian does not provide the later option.

I'd like to contribute to this effort, so the first question are what are any
issues that might block including this into normal package signing process
when someone is uploading to Debian?  That seems like the easiest and lowest
risk place to start.

.hc