Re: Crypto signing of packages

To: Ian Jackson <ian@chiark.greenend.org.uk>
Cc: Debian developers list <debian-devel@lists.debian.org>
Subject: Re: Crypto signing of packages
From: Richard Jones <richard@a42.deep-thought.org>
Date: Wed, 19 Feb 1997 03:38:18 +1100
Message-id: <[🔎] m0vwsYc-0024vzC@a42.deep-thought.org>
In-reply-to: Your message of "Tue, 18 Feb 1997 05:22:00 GMT." <[🔎] m0vwi15-0004NyC@chiark.greenend.org.uk>

> Bruce:
> > I'd be OK with accepting PGP-signed communication from a maintainer
> > regarding security matters, once that maintainer had been through
> > our certification procedure. Of course this relies on maintainers
> > not getting their keys compromised.
> 
> I'm afraid that this is not a realistic requirement.  Maintainers keys
> _will_ be compromised.
> 

I agree.

> We have either to live with the situation where anyone who can
> compromise any maintainer's key can get trojan code into our
> distribution, or we have to come up with a way of detecting and
> dealing with maintainer key compromise.
> 

I don't even think maintainer key compromise is the most likely route of 
trojans,  just as effective would be to compromise the maintainers machine,
modifying either the original source on which the maintainer depends on for 
building the debian package or the patch to that source.  If the maintainer 
has no effective method of detecting such actions the maintiner will happily 
insert trojans into the distribution without the intruder having to know the 
key or even care about the existence of the key. AFAIK there is not much 
protection against this under the current system.  I suggested a couple of 
months ago considering moving to a system in which the source packages are 
able to play a greater role in the distribution (at the users options of 
course), with updates being made via incremental patches (updated patches 
against .orig files could also be patches).  Most people who replied at the 
time thought it was either a bad idea or an idea which took a very low 
priority, maybe with the recent focus peoples may be more receptive.  This way 
if a user has what they consider a secure source tree on their own system , 
they can more easily vet what is happening during package updates (of course 
if they don't care they can just use the binaries).  Apart from the security 
benefits there are big bandwidth pluses also (anyone else get sick of 
downloading 20meg just to change the name of the maintainer?).  I don't think 
it would be *that* difficult to implement, the main problem at the moment is 
that there is very little incentive to install from source as far as 
assistance packages goes.


Richard Jones.





--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Crypto signing of packages
  - From: Stuart Lamble <lamble@yoyo.cc.monash.edu.au>

References:
- Re: Crypto signing of packages
  - From: Ian Jackson <ian@chiark.greenend.org.uk>

Prev by Date: Re: Where is the dependency checker ?
Next by Date: Bug#2481: Posting rejected - please read and agree to mailing list rules.
Previous by thread: Re: Crypto signing of packages
Next by thread: Re: Crypto signing of packages
Index(es):
- Date
- Thread