Re: Signing Packages.gz

To: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Torsten Landschoff <torsten@debian.org>
Date: Sat, 1 Apr 2000 20:52:36 +0200
Message-id: <20000401205235.A15238@wormhole.galaxy>
In-reply-to: <20000401160020.E309@ulysses.dhis.net>; from Marcus Brinkmann on Sat, Apr 01, 2000 at 04:00:20PM +0200
References: <20000324124741.F30466@foursquare.net> <874s9u7lnk.fsf@hoss.orcus.priv.at> <20000326090034.E9092@azure.humbug.org.au> <20000326160220.C454@ulysses.dhis.net> <20000327083710.A30185@azure.humbug.org.au> <20000401012403.A4090@ulysses.dhis.net> <20000401121501.A25544@azure.humbug.org.au> <20000401125553.B25544@azure.humbug.org.au> <20000401160020.E309@ulysses.dhis.net>

On Sat, Apr 01, 2000 at 04:00:20PM +0200, Marcus Brinkmann wrote:

> It seems you feel personally insulted. I am sorry for this, but
> unfortunately it doesn't change the situation that the signed packages case
> adds a further point of weakness to the chain of trust.

Interesting. So signing Packages.gz will lower the security? I don't see
the point. We can quite easily sign our Packages files without much effort
and I think it would greatly increase the security of our mirrors.

It's not a perfect solution but it is better than our current setup. If
you ask me we should do it. ASAP.

> We already use link 1 (signed changes files), and trust it. This won't
> be changed by either proposal. Yes, even in the signed packages file you
> trust all developers keys.

There is a difference between our master server trusting the uploaded changes
files. master will by definition always have the current keyring. The user
might not.

> Now link 2. It is currently absent. What you seem to suggest is to add a key
> (dinstall-key) here, so the user can verify the archive. This adds a point
> of weakness. As the dinstall key can't be used automatically and kept "truly"[1]
> secret (it directly depends on the security of master), this weakness is rather
> huge. This problem is avoided if the link 1 is propagated to the users:

Okay - signing Packages will make Debian as secure as master is. Fine.
We must assume that master is secure otherwise we are doomed anyway. 
Currently Debian is as secure as the worst maintained mirror.

> What link 2 asserts instead is that the packages come from master. It solves
> the mirror problem, but does not solve the master problem.

So let's fix the mirror problem and let the master problem for later. 

> I don't object to a signed Packages file, but it is important to see which
> problem it solves and which it doesn't solve. Also it is important to
> realize that the secret key automatically used by dinstall can not be stored
> in a highly secure way.

I would say that the proposal that Jason made sounds good. Have a low-security
key on master which is used to automatically sign the Packages (of course
you would need to breach the account dinstall is running with or become root
to read that private key).

Then let our security team sign the stable releases. That keys are kept
private on their machines.

Thanks

    Torsten

-- 
Torsten Landschoff           Bluehorn@IRC               <torsten@debian.org>
           Debian Developer and Quality Assurance Committee Member

Attachment: pgpTLZ9f6kFhv.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Signing Packages.gz
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

References:
- Re: Signing Packages.gz
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

Prev by Date: Re: Obsolete packages
Next by Date: Re: ATTN: pjw@edmc.net
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread