[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

speaking in favour of signed Packages files



Hi, all.

Defending signed Packages files
-------------------------------

I will now try to argue in favour of signed packages files:

* They allow a very quick comparison between masters and mirrors content.

* They verify the integrity of the Packages file without checking all debs
  individually.

* They can provide a highly secure and fast check for the integrity of a
  stable release archiv.

* They can be used to get a reasonable amount of security for unstable
  snapshots (although no high security).

Although I think all you can do with signed packages files you can also do
with signed debs, a signed packages file offers a huge performance advantage
for some common and important things. Enough to make it worthwile to
implement it.

To make a secure release, the packages file can be signed by the project
leader and the release managaer at least, manually, on their home machine,
after verifying the integrity of the debs in the archive once (via changes
file or signed debs, whatever).

For unstable snapshots, it's probably not feasible to sign manually, as it
would be a daily duty, and too much work, even if spread among several
people. Automatic signing is imperfect because the secret key needs to be
stored in reach of dinstall. However, using self-expiring keys, which expire
frequently, and documenting the fact seems to be in practice sufficient to
the people mirroring Debian. Highly paranoid people can run further tests
(changes files or signed debs). Also, as unstable is not officially
released, people can more easily accept this imperfection.

The practice for unstable should be well documented, so people understand
why it can't make a promise for the integrity of the packages when master
would get compromised. It should also be acknowledged that this is different
from the stable Packages file, which can be as secure as we want.
 
There are some issues which are under-discussed currently, like making sure
public keys for verification are propagated and up-to-date on the users
machine. Changing the unstable key frequently is a bit of an inconvenience,
and I would like to hear suggestions how to handle that ;)

If I am not completely wrong, this is something that is not too far away
from the original proposal. Please let me know what you think about it.

With the above in mind, I can see how signed debs are unappealing to the
people starting the discussion. It is sort of a seperate issue, reaching
very similar things with different main emphasis and optimization.
I hope we will see both in Debian one day.

Thanks,
Marcus

PS: I thank Thorsten for talking with me on the phone about this, and
Anthony for his great patience and discussion on this list. And of course,
everyone who participated.

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org


Reply to: