On Mon, Apr 03, 2000 at 01:36:01PM +1000, Anthony Towns wrote: > > Debian *can* make this decision, because we know each other. Most users > can only go `James who?'.
This is easily identified as a play with names. Who is this "Debian" person you refer to anyway? After all, behind every action is a developer. > And if he's already compromised your local mirror, and decides that no > one needs an updated debian-keyring, or any of those irritating bugfree > packages? This is free software after all. You can already make a mirror that only carries out of date packages. What sort of an attack is that supposed to be? > To reiterate: signed .debs don't cope with any of the following attacks: > > * Past/current developers doing nefarious things, especially if > they also manage to compromise your local link in the distribution > network. I still disagree (the details are spread over several mails of course). > * Vandalism against Packages files Can you explain this attack to us? > * Maliciously distributing the worst possible selection of valid > packages See above. Seems to be a "Free Software" attack to me. Maybe you should file a bug report against the GPL. (You didn't laugh? Sorry, but it was supposed to be funny :) > These attacks are all based on the fact that sometimes it's Debian as a whole > acting in concert that you trust, not any and all particular developers. A Debian as a whole does not exist. There exists an abstract incorporation, but that's it. The rest is a bunch of developers. I don't see the difference in trusting the key of James or some other Debian admin. I see a difference between a personal key and a key which is lying around on some net-connected machine. You are attempting to abuse the public key (PGP) protocol to verify a group as the ownership of something. This can't work, because it was not designed to cope with such a situation. You would need to use an entirely different cryptoprotocol to solve this. All problems I see (and you keep to sweep under the table) are a direct result from this. Instead, with signed debs, the PGP protocol is used exactly for what it was designed: A signature from an individual, not from a group. (Of course, you *can* have a key that is accessable to several people, for example for organizations, as Microsoft. However, those people have to share the location, and thus act like one abstract individual. That the same can't be true for Debian is obvious: We don't have a headquarter). One note: Of course this is not the case if the Packages file is signed locally by an indivual. But in this case, the analogy to the debian-keyring key is complete (only the technical details are different, and individual debs can't be checkd of course. ) > Mmm? One per .deb, YM? That's somewhere around 40 or 50 for each X upload. > (each .deb has to be signed separately, no matter which way you do it) There are solutions to this. (Read the pgp/gpg manuals). You can pass the phrase from other programs or the environment. As a side note, realize that the secret dinstall key can't be protected efficiently by a passphrase, because the phrase itself had to be stored and readable by dinstall. > Securing the way Debian distributes its software is a *long* way from > making it impossible for an attacker to compromise huge numbers of > Debian boxen. And is of course an orthogonal issue. Thanks, Marcus PS: I would like to meet this Debian person, he must be terrible shizophrene. ;)
