[linux-elitists] [RANT] Debian the Elitist Distribution?

Jim Richardson warlock@eskimo.com
Sun Feb 15 19:36:21 PST 2004

On Sun, Feb 15, 2004 at 02:22:10PM -0800, Rick Moen wrote:
>Quoting Jim Richardson (warlock@eskimo.com):
>> Unfortunately, at the last time I checked, less than 15% of the official
>> Debian packages were signed appropriately. I haven't checked recently,
>> has that improved significantly?
>When you say "signed appropriately", are you referring to package
>maintainers' gnupg signing of the .deb binary packages directly, or
>package maintainers' signing of .changes files submitted to the buildd
>hosts?  I strongly suspect you mean the former.  To my knowledge, the
>latter will always be rejected automatically if they don't verify
>against the debian-keyring set.
>> All I really want/expect a signed package to tell me, is that the
>> package was signed by key XXXX, which goes a long way to assuaging my
>> concerns re: trojans and mitm attacks.
>I strongly suggest you study how the Releases.gpg mechanism works.
>This may help:  "Pacakge Signing" on http://linuxmafia.com/kb/Debian
>(Disclaimer:  Material indicated is just my own documentation effort,
>and hardly definitive.  For definitive coverage, check the
>debian-security mailing list's archives.)

I will, thanks. 

>> Especially after the recent Debian crack. 
>I'm confused, here:  How would ability to gnupg-check package files
>directly have protected you against the effects of sniffed ssh password on 
>project development hosts, in a way above and beyond what the signed
>Releases files already do?

cracking a box and inserting something nasty in the feed, is possible,
(although it didn't happen with the Debian crack) but if said inserted
package fails verification by dint of not being correctly signed, you
are accordingly warned of the problem. Since the Debian key package
signatures weren't on that machine, no signing could take place based on
a crack of that machine. 

Again, I am not claiming that signed packages made a difference in this
case, but that like many other aspects of security, it's another layer.
Making it even harder for the "bad guys" to slip one by. 

>Please take the effort to actually study how the Debian
>package-submission process (and signed .changes files) work in the
>existing architecture, before commenting further.  Thanks.
>Cheers,                           "This is Unix.  Stop acting so helpless."
>Rick Moen                                               -- D.J. Bernstein

Jim Richardson     http://www.eskimo.com/~warlock
One man's theology is another man's belly laugh.
	-- Lazarus Long
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040215/7294c369/attachment.pgp 

More information about the linux-elitists mailing list