[linux-elitists] [RANT] Debian the Elitist Distribution?

Rick Moen rick@linuxmafia.com
Sun Feb 15 14:22:10 PST 2004

Quoting Jim Richardson (warlock@eskimo.com):

> Unfortunately, at the last time I checked, less than 15% of the official
> Debian packages were signed appropriately. I haven't checked recently,
> has that improved significantly?

When you say "signed appropriately", are you referring to package
maintainers' gnupg signing of the .deb binary packages directly, or
package maintainers' signing of .changes files submitted to the buildd
hosts?  I strongly suspect you mean the former.  To my knowledge, the
latter will always be rejected automatically if they don't verify
against the debian-keyring set.

> All I really want/expect a signed package to tell me, is that the
> package was signed by key XXXX, which goes a long way to assuaging my
> concerns re: trojans and mitm attacks.

I strongly suggest you study how the Releases.gpg mechanism works.
This may help:  "Pacakge Signing" on http://linuxmafia.com/kb/Debian
(Disclaimer:  Material indicated is just my own documentation effort,
and hardly definitive.  For definitive coverage, check the
debian-security mailing list's archives.)

> Especially after the recent Debian crack. 

I'm confused, here:  How would ability to gnupg-check package files
directly have protected you against the effects of sniffed ssh password on 
project development hosts, in a way above and beyond what the signed
Releases files already do?

Please take the effort to actually study how the Debian
package-submission process (and signed .changes files) work in the
existing architecture, before commenting further.  Thanks.

Cheers,                           "This is Unix.  Stop acting so helpless."
Rick Moen                                               -- D.J. Bernstein

More information about the linux-elitists mailing list