Hi Erich; Am 16.12.2012 19:50, schrieb Erich Titl: > Hi KP > > Am 16.12.2012 11:12, schrieb KP Kirchdoerfer: >> Am 15.12.2012 23:14, schrieb Erich Titl: >>> Hi KP >>> >>> Am 15.12.2012 19:54, schrieb KP Kirchdoerfer: >>>> Hi; >>>> >>>> I did some work on Trac ticket 57 "add gpg signing of packages", and >>>> like to discuss, what I've done so far. >>> >>> Will it still be possible to load unsigned packages? >> >> Yes. Currently verify is not integrated into the install or update commands. >> The user *can* download a gpg signature file for a given lrp and verify >> the package before he installs/updates it. It's recommended, but >> everything else will work as before. > > I have a few more doubts > > If the verify mechanism is built into config.lrp then it is easy to > circumvent it, by just disabling it there. This is even easier than in > in initrd.
The idea is to follow this route: http://www.apache.org/dev/release-signing.html It does need a web-of-trust, which has not been established. So the security is related, to the web-of-trust and the strength of the developers key. > > Unfortunately I believe if such a mechanism is easy to break it is of no > great value. It shouldn't be that easy to break it. A first value is that we start to 17 month ticket :) > If we want this to succeed we need to build some kind of a > chain of trust and enforce the use of signed packages. If someone wants > tu build his own package he has to be a member of this chain of trust. Keep in mind, it's also possible to install lrp's with a simple tar command or in the case of initrd with only little more work, if someone opens a backdoor to your router. So enforcing the use of signed packages with apkg makes things harder and is no big win at all. > The program to verify the signature _must_ be signed itself, not only > the package. Don't understand. Can you please explain? kp ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel