Hi Erich;

Am 16.12.2012 19:50, schrieb Erich Titl:
> Hi KP
> 
> Am 16.12.2012 11:12, schrieb KP Kirchdoerfer:
>> Am 15.12.2012 23:14, schrieb Erich Titl:
>>> Hi KP
>>>
>>> Am 15.12.2012 19:54, schrieb KP Kirchdoerfer:
>>>> Hi;
>>>>
>>>> I did some work on Trac ticket 57 "add gpg signing of packages", and
>>>> like to discuss, what I've done so far.
>>>
>>> Will it still be possible to load unsigned packages?
>>
>> Yes. Currently verify is not integrated into the install or update commands.
>> The user *can* download a gpg signature file for a given lrp and verify
>> the package before he installs/updates it. It's recommended, but
>> everything else will work as before.
> 
> I have a few more doubts
> 
> If the verify mechanism is built into config.lrp then it is easy to 
> circumvent it, by just disabling it there. This is even easier than in 
> in initrd.

The idea is to follow this route:
http://www.apache.org/dev/release-signing.html

It does need a web-of-trust, which has not been established.
So the security is related, to the web-of-trust and the strength of the
developers key.


> 
> Unfortunately I believe if such a mechanism is easy to break it is of no 
> great value. 

It shouldn't be that easy to break it.
A first value is that we start to 17 month ticket :)

> If we want this to succeed we need to build some kind of a 
> chain of trust and enforce the use of signed packages. If someone wants 
> tu build his own package he has to be a member of this chain of trust. 

Keep in mind, it's also possible to install lrp's with a simple tar
command or in the case of initrd with only little more work, if someone
opens a backdoor to your router. So enforcing the use of signed packages
with apkg makes things harder and is no big win at all.


> The program to verify the signature _must_ be signed itself, not only 
> the package.

Don't understand. Can you please explain?

kp


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to