Re: Signing Packages.gz

To: Jason Gunthorpe <jgg@ualberta.ca>
Cc: Anthony Towns <aj@azure.humbug.org.au>, debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 1 Apr 2000 15:38:29 +0200
Message-id: <20000401153828.D309@ulysses.dhis.net>
In-reply-to: <Pine.LNX.3.96.1000331193923.27820B-100000@wakko.deltatee.com>; from jgg@ualberta.ca on Fri, Mar 31, 2000 at 08:22:14PM -0700
References: <20000401121501.A25544@azure.humbug.org.au> <Pine.LNX.3.96.1000331193923.27820B-100000@wakko.deltatee.com>

On Fri, Mar 31, 2000 at 08:22:14PM -0700, Jason Gunthorpe wrote:
> You are wrong about signed .debs vs signed package files. Signed .debs are
> not worth the bytes to transfer a signature and the time check it. Their
> only real use is to check the master archive against hack/corruption and
> even that is better served by saving the uploading .changes file
> [preferably on multiple hosts, hence d-devel-changes]. In fact I would
> argue .deb sigs only give people a false sense of security because it
> makes the system as weak as the weakest key in our keyring. 
> 
> Signed package files on the other hand provide a really fast and efficient
> way to definately verify the whole chain, from us to the user.

I can't follow your reasoning.

In the signed .debs case, I, as a developer, assert that the package comes
from me. A user can directly verify this by checking the signature.

In the signed packages file case, I as a developer, assert that the package
comes from me, which is verified by dinstall. Then the user verifies
whatever comes from dinstall, but he can not directly check if what is in
the archive comes really from the developers (not a problem if dinstall can
be trusted).

The latter adds a chain, thus one further point of weakness. I might add
that as the dinstall key can't be kept truly secret if it is stored on a
net-connected machine, this weakness is rather huge.

You already trust the maintainers (either directly or through dinstall).
What makes you think that adding a middleman improves the situation?

> In
> particular, we could have a relatively insecure daily use dinstall key
> [for unstable] and a strong release key (aka the key the security team
> uses)

I could not trust either. The former, because it is stored on a network
connected machine, the latter because it is transfered over the net (if it
is shared among the security team). Of course, if the security team use
their personal key in the latter case, I can trust it.

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to:

Follow-Ups:
- Re: Signing Packages.gz
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- Re: Signing Packages.gz
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Intent to package: eshell, pcomplete
Next by Date: Re: Signing Packages.gz
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread