| Author |
Message |
Mikhail Sobolev
*nix forums beginner
Joined: 23 Nov 2005
Posts: 2
|
 Posted: Wed Nov 23, 2005 6:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
| Quote: | As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
I'd be very interested in the whole idea. |
--
Misha
PS I'm not a DD |
|
| Back to top |
|
 |
Adam Heath
*nix forums Guru Wannabe
Joined: 22 Feb 2005
Posts: 100
|
| Posted: Wed Nov 23, 2005 6:20 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005, Marc Haber wrote:
| Quote: | In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
So, most of the DD's do not care about security at all. Why does
Debian have a reputation of being so secure?
|
Ah, you're a gloom-and-doomer.
There's been no push. No default. No message saying that it's acceptable and
wanted to sign debs.
Most people(not just DD) take the defaults, the easy way out. These numbers
will increase when the default is to sign.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Wed Nov 23, 2005 6:40 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Thu, 24 Nov 2005, Anthony Towns wrote:
| Quote: | Personally, I think it's cryptographic snake oil, at least in so far
|
A signed deb has a seal of procedence and allows one to track the path it
made through the system, and who changed it. It ties a non-trustable
timestamp to every singed step in that path, but that has limited use.
It allows one to verify against tampering of the data along that path.
It does no more. Nobody who really knows what he's talking about claimed
that it did.
I do claim that a criptographic seal of procedence and non-tampering IS
valuable information, and also that dpkg-sig delivers that information in a
much more usable and universal way than anything else we have currently.
| Quote: | something that provides DD-to-user package signatures at least in some
cases is very desirable indeed.
debian-devel-changes provides this.
|
Not in a very useable form, and only for Debian packages uploaded to the
official Debian archive. This is hardly good enough.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
John Hasler
*nix forums Guru
Joined: 20 Feb 2005
Posts: 687
|
| Posted: Wed Nov 23, 2005 6:40 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Marc Haber writes:
| Quote: | So, most of the DD's do not care about security at all.
|
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
--
John Hasler
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Wed Nov 23, 2005 6:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005, Jeroen van Wolffelaar wrote:
| Quote: | In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
I'm not going to interpret these numbers, as it's close to impossible to
do so objectively.
|
Well, *I* can speak for myself, and all my packages would have been signed
had I known I am allowed to upload signed packages to Debian, which I
didn't.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
John Hasler
*nix forums Guru
Joined: 20 Feb 2005
Posts: 687
|
| Posted: Wed Nov 23, 2005 7:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Olaf van der Spek writes:
| Quote: | Security is more than package signatures.
|
What is your specific proposal?
--
John Hasler
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Wed Nov 23, 2005 7:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005, John Hasler wrote:
| Quote: | Olaf van der Spek writes:
Security is more than package signatures.
What is your specific proposal?
|
Don't go there, or at least start another thread to do so. Olaf is correct,
signed packages are not enough and we have reharsed that discursion a lot.
This doesn't mean that signed packages are useless, far from it.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Matthew Garrett
*nix forums Guru Wannabe
Joined: 01 Mar 2005
Posts: 164
|
| Posted: Wed Nov 23, 2005 8:30 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> wrote:
| Quote: | Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
|
The answer is "all of them", so this one's not very compelling.
--
Matthew Garrett | mjg59-chiark.mail.debian.devel@srcf.ucam.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Goswin von Brederlow
*nix forums Guru
Joined: 20 Feb 2005
Posts: 658
|
| Posted: Wed Nov 23, 2005 8:30 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Anthony Towns <aj@azure.humbug.org.au> writes:
| Quote: | On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
This is a pity. I think dpkg-sig is an important step into the right
direction: providing more assurances about package integrity to our
users.
Personally, I think it's cryptographic snake oil, at least in so far
as it relates to Debian. I remain interested in seeing any realistic
demonstration of how a Debian user could reasonably rely on them for
any practical assurance.
|
Use 1: I have this deb in my apt-move mirror and I want to know if it
was compromised on yesterdays breakin
Boot a clean system with debian keyring and check all deb
signatures.
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
Use 3: The debian servers were compromised and the security team takes
too long to check the archive for my taste
Being a normal user I obviously have no mail archive of all the
old changes files laying around so that road is closed. But everyone
has a Debian stable CD with keyring. See Use 1.
Use 4: The Debian Archive Key has expired yet again, like every year
or the Release.gpg file is out of sync as so often on some
mirrors and I still want to verify debs.
Check deb signatures against the keyring instead of the Release.gpg
check in apt.
Use 1, 3 and 4 rely on a manual signature of each deb. One suggestion
is to add this to debsign so the only change for developers is that
gpg asks for the passphrase more often. Use 2 would require an
automatic signature by the archive.
While the log contains the md5sum of each build deb it does not
contain any signature against tampering. Same goes for the mail
exchange between the buildd and admin for all the admins that sign by
mail.
Tampered debs can be uploaded by sending a fake mail to the admin and
filtering out his responce. A deb signature of the buildd and a
subsequent dak check would prevent this.
| Quote: | something that provides DD-to-user package signatures at least in some
cases is very desirable indeed.
debian-devel-changes provides this.
|
That covers only the sourcefull uploads and the arch specific -changes
lists are not archived and therefore useless for non constant
monitoring.
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Peter Samuelson
*nix forums Guru Wannabe
Joined: 21 Feb 2005
Posts: 212
|
| Posted: Wed Nov 23, 2005 8:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
[Erinn Clark]
| Quote: | Yet just today you filed a bug (#340403) for documentation to be
included in the package since you were unable to explain dpkg-sig's
strengths. How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
|
That's unfair and you know it. It seems he *did* educate himself about
dpkg-sig: "I had to look for a while to find the dpkg-sig FAQ on the
web page." It is perfectly reasonable to want users to have easy
access to this information, given the rather confusing array of
signature-related packages and options in Debian packaging.
Not knowing the relative advantages of dpkg-sig versus debsigs is
hardly the same thing as being unqualified to speak about the reasons
(or lack thereof) to support signed .debs. And, from what I
understand, the dak change which proved so contentious broke both
equally. (Whether Andreas's script counted packages signed with
debsigs as well as those signed with dpkg-sig, I don't know, as I don't
have access to it.)
I do think a feature comparison and compatibility matrix would be
useful to have, between dpkg-buildpackage/debsign (for signing .changes
and .dsc files), debsigs (for signing .deb files), dpkg-sig (for
signing and verifying .deb files) and debsig-verify (for verifying .deb
files). |
|
| Back to top |
|
|
Peter Samuelson
*nix forums Guru Wannabe
Joined: 21 Feb 2005
Posts: 212
|
| Posted: Wed Nov 23, 2005 9:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
[Goswin von Brederlow]
| Quote: | Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
|
[Matthew Garrett]
| Quote: | The answer is "all of them", so this one's not very compelling.
|
What? All Ubuntu .deb files went through ftp-master.debian.org at some
point? I know you can't actually mean that. Hmmm, perhaps you meant
"none of them"? If so, that's an Ubuntu-specific answer, because even
if Ubuntu recompiles all packages, many Debian derivative distributions
do not.
Or did you mean signatures on individual debs are not useful for this
purpose since one could instead simply archive the Packages and Release
files for Debian unstable every day between one Ubuntu release and the
next? While possible, this has approximately the same absurdity factor
as asking users to subscribe to debian-devel-changes and keep enough
mail archives around to verify developer signatures *that* way. (Yes,
believe it or not, that has actually been proposed!) |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Wed Nov 23, 2005 9:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005 17:03:51 -0200, Henrique de Moraes Holschuh
<hmh@debian.org> wrote:
| Quote: | This doesn't mean that signed packages are useless, far from it.
|
They are useless at the moment. They cannot be uploaded.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
|
Matt Zimmerman
*nix forums Guru Wannabe
Joined: 12 Mar 2005
Posts: 198
|
| Posted: Wed Nov 23, 2005 10:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
| Quote: | Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
|
I know this is a contrived use case, but Ubuntu doesn't use any .debs from
Debian.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Wed Nov 23, 2005 10:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005 12:11:20 -0600, John Hasler <jhasler@debian.org>
wrote:
| Quote: | Marc Haber writes:
So, most of the DD's do not care about security at all.
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
|
dpkg-sig is harly "hard to use". Even I learned how to use it in two
minutes from reading the man page. And I am known to be stupid.
People finding stuff like dpkg-sig and debsigs "hard to use" do not
care about security. Thanks for proving my point.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Wed Nov 23, 2005 10:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005 12:09:34 -0600 (CST), Adam Heath
<doogie@debian.org> wrote:
| Quote: | There's been no push. No default. No message saying that it's acceptable and
wanted to sign debs.
|
So Debian doesn't care about security. If we did, we would have an
official message saying so. Why do we have the reputation of being so
secure?
| Quote: | Most people(not just DD) take the defaults, the easy way out. These numbers
will increase when the default is to sign.
|
Currently, it is not even an option to sign. Which is a severe
degradation compared to last week's state of affairs.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
Distributions
»
Debian
»
devel
