| Author |
Message |
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
 Posted: Wed Nov 23, 2005 10:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005 12:58:12 -0500, Erinn Clark
<erinn@double-helix.org> wrote:
| Quote: | * Marc Haber <mh+debian-devel@zugschlus.de> [2005:11:23 18:40 +0100]:
On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
So, most of the DD's do not care about security at all. Why does
Debian have a reputation of being so secure?
Yet just today you filed a bug (#340403) for documentation to be
included in the package since you were unable to explain dpkg-sig's
strengths.
|
The requested documentation is available online, and I have had the
opportunity to talk to dpkg-sig's authors and independent security
people about its advantages.
| Quote: | How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
|
Well, even if I know naught about it, it looks to me that having
something signed is better than having the same something not signed.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
 |
Marc 'HE' Brockschmidt
*nix forums beginner
Joined: 07 Apr 2005
Posts: 40
|
| Posted: Wed Nov 23, 2005 10:30 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Jeroen van Wolffelaar <jeroen@wolffelaar.nl> writes:
| Quote: | On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%).
|
Of these 283283 debs, only ~1/9 (1 of 11 archs - packages that are
arch: all, that's only an assumption, correct me if i'm wrong) are
directly uploaded by developers. About 1/4 of the pool should be woody
packages (which was released before dpkg-sig). So we get 283283 * 1/9 *
3/4, which gives us about 23606 packages, which means that 525 are about
2.25%. Regarding the fact that dpkg-sig is not actively advertised
because support in dak and dpkg is still missing, that's not *too* bad.
Marc
--
Fachbegriffe der Informatik - Einfach erklärt
25: Multithreaded
Wir mußten ein Flußdiagramm malen, um es zu debuggen. (Kristian Köhntopp) |
|
| Back to top |
|
|
John Hasler
*nix forums Guru
Joined: 20 Feb 2005
Posts: 687
|
| Posted: Wed Nov 23, 2005 10:40 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
I wrote:
| Quote: | I think that DD's do not use dpkg-sig and debsigs because they believe
them to be hard to use and not supported by the infrastructure or by
policy.
|
Marc Haber writes:
| Quote: | dpkg-sig is harly "hard to use".
|
Please re-read what I wrote.
--
John Hasler
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Stefano Zacchiroli
*nix forums beginner
Joined: 14 Mar 2005
Posts: 49
|
| Posted: Wed Nov 23, 2005 11:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
| Quote: | I'd like to know if anyone cares about using these binary signatures
|
Before your mail I was completely unaware of the existence of dpkg-sig.
Now that I know it, I care about it and would like to start uploading my
packages dpkg-sig-ed (being it possible!).
I hope the current setting will be fixed soon and I will fill a
whishlist bugreport against debuild to support dpkg-sig side by side
with debuild.
Cheers.
--
Stefano Zacchiroli -*- Computer Science PhD student @ Uny Bologna, Italy
zack@{cs.unibo.it,debian.org,bononia.it} -%- http://www.bononia.it/zack/
If there's any real truth it's that the entire multidimensional infinity
of the Universe is almost certainly being run by a bunch of maniacs. -!- |
|
| Back to top |
|
|
Alexander Schmehl
*nix forums addict
Joined: 04 Apr 2005
Posts: 65
|
| Posted: Wed Nov 23, 2005 11:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
* John Hasler <jhasler@debian.org> [051123 19:11]:
| Quote: | So, most of the DD's do not care about security at all.
I think that DD's do not use dpkg-sig and debsigs because they believe them
to be hard to use and not supported by the infrastructure or by policy.
|
... or not even know about them. I haven't heard about HE mentioned
them.
Yours sincerely,
Alexander
--
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html |
|
| Back to top |
|
|
Matthew Garrett
*nix forums Guru Wannabe
Joined: 01 Mar 2005
Posts: 164
|
| Posted: Wed Nov 23, 2005 11:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Peter Samuelson <peter@p12n.org> wrote:
| Quote: | [Goswin von Brederlow]
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
=20
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
[Matthew Garrett]
The answer is "all of them", so this one's not very compelling.
|
[Someone with a horrid, horrid quoting style]
| Quote: | What? All Ubuntu .deb files went through ftp-master.debian.org at some
point? I know you can't actually mean that. Hmmm, perhaps you meant
"none of them"? If so, that's an Ubuntu-specific answer, because even
if Ubuntu recompiles all packages, many Debian derivative distributions
do not.
|
I was unclear. All of them are recompiled.
--
Matthew Garrett | mjg59-chiark.mail.debian.devel@srcf.ucam.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Goswin von Brederlow
*nix forums Guru
Joined: 20 Feb 2005
Posts: 658
|
| Posted: Wed Nov 23, 2005 11:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Matt Zimmerman <mdz@debian.org> writes:
| Quote: | On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
I know this is a contrived use case, but Ubuntu doesn't use any .debs from
Debian.
|
One could prove that.  There are tons of debian spin offs out there
and a lot will use Debians debs, esspecially CDD disks. So I still
stand by that use.
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Matthew Palmer
*nix forums Guru Wannabe
Joined: 20 Feb 2005
Posts: 146
|
| Posted: Wed Nov 23, 2005 11:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Thu, Nov 24, 2005 at 02:08:17AM +1000, Anthony Towns wrote:
| Quote: | On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
* Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
This is a pity. I think dpkg-sig is an important step into the right
direction: providing more assurances about package integrity to our
users.
Personally, I think it's cryptographic snake oil, at least in so far
as it relates to Debian. I remain interested in seeing any realistic
demonstration of how a Debian user could reasonably rely on them for
any practical assurance.
|
Are you, perchance, interpreting "user" in Florian's message a little too
strictly? I consider myself a user of Debian, as well as a contributor, and
I can see a couple of uses for signed binary packages for my own purposes
(as well as uses for Debian itself).
Maybe I'm raising a too-long-ago-for-my-recollection flamewar, but I can
think of the following scenarios (not all of them strictly-Debian, though).
I'd be interested in explanations (or pointers to previous discussions)
discrediting them, so I can be properly enlightened.
1) A signature added by the "originator" of a particular binary package (the
buildds, typically, within Debian) could provide some identification of the
true origin of a binary package. If a buildd were to be deemed to be
compromised, all packages signed with that buildd's key could be turfed and
rebuilt. (Note that I'm not suggesting using buildd keys as a "this package
is OK for the archive" check, see my comments below).
2) A signature from dinstall saying "this package was installed in the
Debian archive" would provide a means of automatic "assurance" of the source
of a binary package, when I'm putting together custom CDs or package repos.
3) I can verify the provenance of a particular package in my own custom
repos at any time (did that come from Debian? Did someone build it
internally? What's going on?) I can kinda-sorta do that if I manually sign
each binary package I download & verify against the Packages->Release chain
with a special "came from Debian" key, and I can verify the source of the
source (heh) package via the dsc signature, but having a complete "chain of
custody" on a binary package seems like a "nice" thing to have.
Maybe that's the snake-oil you speak of, aj -- it gives me the warm fuzzies
to be able to look at a long list of signatures and say "hmm, that looks
secure" when it shouldn't making me anywhere near as fuzzy.
At the very least, though, I can't find a hole which makes binary package
signatures, done properly, any less secure than per-archive signing. Is your
objection to binary-package signing that it is "no better" than archive
signing, or that it is actively *worse* than per-archive signing (again, if
both are done "properly", whatever we may define that to mean).
One scenario, which initially seems compelling, but which I've since
rejected, is that of "offline signing" of binary packages -- the idea that
the archive can be authenticated via signatures applied to packages before
they hit the archive. The benefit suggested there is that offline signing
is more secure than leaving the Release.gpg private key somewhere it can
theoretically be stolen and used to sign bogus release files. The problem
is that, in general, no automatic signing key is any more secure than any
other. In addition, if (for eg) every buildd had it's own automatic key,
and that was sufficient for admission to the archive and for checking
archive integrity, that you've got less security because there's N keys,
spread across a range of machines, any of which can do the job of letting a
package into the archive.
- Matt
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Goswin von Brederlow
*nix forums Guru
Joined: 20 Feb 2005
Posts: 658
|
| Posted: Wed Nov 23, 2005 11:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Stefano Zacchiroli <zack@debian.org> writes:
| Quote: | On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
I'd like to know if anyone cares about using these binary signatures
Before your mail I was completely unaware of the existence of dpkg-sig.
Now that I know it, I care about it and would like to start uploading my
packages dpkg-sig-ed (being it possible!).
I hope the current setting will be fixed soon and I will fill a
whishlist bugreport against debuild to support dpkg-sig side by side
with debuild.
Cheers.
|
Please file that against debsign which debuild uses.
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Goswin von Brederlow
*nix forums Guru
Joined: 20 Feb 2005
Posts: 658
|
| Posted: Wed Nov 23, 2005 11:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Marc 'HE' Brockschmidt <he@debian.org> writes:
| Quote: | Jeroen van Wolffelaar <jeroen@wolffelaar.nl> writes:
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%).
Of these 283283 debs, only ~1/9 (1 of 11 archs - packages that are
arch: all, that's only an assumption, correct me if i'm wrong) are
directly uploaded by developers. About 1/4 of the pool should be woody
packages (which was released before dpkg-sig). So we get 283283 * 1/9 *
3/4, which gives us about 23606 packages, which means that 525 are about
2.25%. Regarding the fact that dpkg-sig is not actively advertised
because support in dak and dpkg is still missing, that's not *too* bad.
Marc
|
Subtract all sarge debs as signed debs were unwanted for that in fear
of some unknown breakage. Further subtract all packages without upload
since sarge.
Gosh, the percentage keeps on rising. :)
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Marc 'HE' Brockschmidt
*nix forums beginner
Joined: 07 Apr 2005
Posts: 40
|
| Posted: Thu Nov 24, 2005 12:00 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
Stefano Zacchiroli <zack@debian.org> writes:
[...]
| Quote: | I will fill a whishlist bugreport against debuild to support dpkg-sig
side by side with debuild.
|
There is already #247825. #247824 is the wishlist bug for
dpkg-buildpackage support.
Marc
--
BOFH #105:#247824
UPS interrupted the server's power |
|
| Back to top |
|
|
Steve Langasek
*nix forums Guru
Joined: 20 Feb 2005
Posts: 730
|
| Posted: Thu Nov 24, 2005 12:10 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, Nov 23, 2005 at 10:52:52PM +0100, Marc Haber wrote:
| Quote: | On Wed, 23 Nov 2005 12:09:34 -0600 (CST), Adam Heath
doogie@debian.org> wrote:
There's been no push. No default. No message saying that it's acceptable and
wanted to sign debs.
So Debian doesn't care about security. If we did, we would have an
official message saying so. Why do we have the reputation of being so
secure?
|
It's an elaborate hoax we put together in order to see how you would react
when you found out it wasn't true.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/ |
|
| Back to top |
|
|
Thiemo Seufer
*nix forums Guru Wannabe
Joined: 21 Feb 2005
Posts: 128
|
| Posted: Thu Nov 24, 2005 1:30 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
Marc Haber wrote:
[snip]
| Quote: | How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
Well, even if I know naught about it, it looks to me that having
something signed is better than having the same something not signed.
|
Sorry, but that's a snake oil rationale.
Thiemo
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Brian May
*nix forums Guru Wannabe
Joined: 27 Feb 2005
Posts: 109
|
| Posted: Thu Nov 24, 2005 2:20 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
| Quote: | "Marc" == Marc 'HE' Brockschmidt <he@debian.org> writes:
|
Marc> Brian May <bam@debian.org> writes:
| Quote: | I've never seen dpkg-sig mentioned before, only debsigs,
so I'm not familiar with the tool itself, but the concept
is one that needs a lot more exposure.
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
|
Marc> No. dpkg-sig is a completly independent application (though
Marc> some ideas were taken from debsigs)
So, can I conclude we should use dpkg-sig and not debsigs?
The reason I haven't uploaded my packages using something like this
is:
* last time I tried, it got rejected, I didn't know the situation has
changed.
* confusion over which system to use.
* Not integrated with dpkg-buildpackage, debsign, autobuilders, or dak
yet.
--
Brian May <bam@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Anthony Towns
*nix forums Guru Wannabe
Joined: 06 Mar 2005
Posts: 274
|
| Posted: Thu Nov 24, 2005 2:40 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
| Quote: | Use 1: I have this deb in my apt-move mirror and I want to know if it
was compromised on yesterdays breakin
Boot a clean system with debian keyring and check all deb
signatures.
|
Find some don't pass because they were signed with keys that have been
removed from the keyring.
| Quote: | Use 2: I have this Ubuntu CD and want to know which debs are from
debian and which got recompiled
Look for all debs that have a deb signature of the debian archive
(to be added to dinstall at some point).
|
Never to be added, because it would change the .deb from that which was
originally uploaded, for no benefit.
| Quote: | Use 3: The debian servers were compromised and the security team takes
too long to check the archive for my taste
Being a normal user I obviously have no mail archive of all the
old changes files laying around so that road is closed. But everyone
has a Debian stable CD with keyring. See Use 1.
|
And see why it doesn't work. Not to mention keys added since stable
released, and packages uploaded by those maintainers.
More than just keys removed from the keyring, there's the issue of keys
being compromised -- it's not even unknown for developers to post secret
keys to mailing lists -- the issue that a package that's once been in the
archive may well by now have known security holes (which is why we have
security.debian.org after all), and that this is entirely moot anyway
since the vast majority of packages can't be verified by dpkg-sig.
| Quote: | buildd.debian.org gives full logs, to developers or users.
While the log contains the md5sum of each build deb it does not
contain any signature against tampering.
|
No, that's what the signed .changes file is for.
| Quote: | Tampered debs can be uploaded by sending a fake mail to the admin and
filtering out his responce. A deb signature of the buildd and a
subsequent dak check would prevent this.
|
So would having the buildd sign the mails to the buildd admin, which would
have the benefit of not giving a couple of dozen completely untrustworthy
keys special access to the archive. (AIUI, signed mails to the admin are
on the TODO list; at present buildds don't have keys of their own at all)
| Quote: | something that provides DD-to-user package signatures at least in some
cases is very desirable indeed.
debian-devel-changes provides this.
That covers only the sourcefull uploads and the arch specific -changes
lists are not archived and therefore useless for non constant
monitoring.
|
Far easier to fix that, than retrofit 150G of debs to a flawed and
redundant scheme like this.
Cheers,
aj |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
Distributions
»
Debian
»
devel
