Re: concrete steps for improving apt downloading security and privacy
On 07/14/2014 12:59 PM, Paul Wise wrote:
> On Tue, Jul 15, 2014 at 12:45 AM, Hans-Christoph Steiner wrote:
>> I'd like to contribute to this effort
> First thing is to get #733029 fixed, which involves disabling signing
> by default (signing should be done after testing not before) and
> adding a signing tool to dpkg-dev. Then debsign/debuild need adapting
> to the new default and the new signing tool. Then you can modify the
> dpkg signing tool to sign .deb files using code from the old stuff and
> convince the dpkg maintainers to accept it. Somewhere in there the old
> approaches/code should be looked at, checked if they still work and
> the old documentation and external websites (some of them only on
> archive.org) and mailing list discussions.
I agree that dpkg-buildpackage should not sign try to sign by default unless
the signer in debian/changelog matches the currently logged in person.
But there should always be at least "builder" signature on every .deb. That
signature is not there to testify that it is a tested release, it is there to
verify that the package was not modified since the builder created it.
The Android security model is a good example: you cannot even install an .apk
(like an Android .deb) that does not have a signature in it. All .apks must
have a valid signature in order to be installed. For debug builds, the
Android build tools make it dead simple to use a debug key to sign .apks.