| Author |
Message |
Marc 'HE' Brockschmidt
*nix forums beginner
Joined: 07 Apr 2005
Posts: 40
|
 Posted: Tue Nov 22, 2005 5:24 pm Post subject:
dpkg-sig support wanted?
|
|
|
Heya,
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
This is not the first time that this change to the dak scripts was
activated. We had this problem for a few days some months ago, but the
change was reverted. There was no discussion about this issue (and why
signed binary packages need to be rejected) since then. There was no
warning or indication that this check would be activated again in the
last week.
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
Marc
--
Fachbegriffe der Informatik - Einfach erklärt
138: OSPF
One Single Point of Failure (Pascal Gienger) |
|
| Back to top |
|
 |
James Vega
*nix forums beginner
Joined: 21 May 2005
Posts: 16
|
| Posted: Tue Nov 22, 2005 5:24 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Tue, Nov 22, 2005 at 05:41:05PM +0100, Petter Reinholdtsen wrote:
| Quote: |
[Marc 'HE' Brockschmidt]
I'd like to know if anyone cares about using these binary signatures
I can not really say if I care or not, as I do not really know what
these binary signatures are. Care to send URL to pages explaining the
topic?
|
As per 'apt-cache show dpkg-sig':
Website is http://dpkg-sig.turmzimmer.net/
James
--
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@jamessan.com> |
|
| Back to top |
|
|
Petter Reinholdtsen
*nix forums Guru Wannabe
Joined: 20 Feb 2005
Posts: 188
|
| Posted: Tue Nov 22, 2005 5:24 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
[Marc 'HE' Brockschmidt]
| Quote: | I'd like to know if anyone cares about using these binary signatures
|
I can not really say if I care or not, as I do not really know what
these binary signatures are. Care to send URL to pages explaining the
topic?
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
martin f krafft
*nix forums Guru
Joined: 01 Mar 2005
Posts: 360
|
| Posted: Tue Nov 22, 2005 6:10 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
also sprach Marc 'HE' Brockschmidt <he@debian.org> [2005.11.22.1650 +0100]:
| Quote: | As I'm responsible for most of dpkg-sig's code (and planned to do
some more work in the next two months) I'd like to know if anyone
cares about using these binary signatures or if I can invest my
time into something that's a bit more satisfying (== non-Debian
stuff). As the ftp-masters and the dpkg maintainers seem to have
no interest in the whole thing, I'm beginning to doubt that it's
sensible to work on dpkg-sig.
|
I fully support dpkg-sig and do not appreciate having to hear that
a decision was made without the giving the collective of developers
a chance to voice their opinions before.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
"man soll nicht in kirchen gehn, wenn man reine luft atmen will."
- friedrich nietzsche |
|
| Back to top |
|
|
John Hasler
*nix forums Guru
Joined: 20 Feb 2005
Posts: 687
|
| Posted: Tue Nov 22, 2005 6:11 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
Marc 'HE' Brockschmidt writes:
| Quote: | I'd like to know if anyone cares about using these binary signatures
|
I do.
--
John Hasler
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Matthew Palmer
*nix forums Guru Wannabe
Joined: 20 Feb 2005
Posts: 146
|
| Posted: Tue Nov 22, 2005 10:30 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
| Quote: | As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff).
|
I'm keenly interested in per-package signatures for Debian packages -- I
think they're a great idea and it's a pity that they haven't received more
interest.
I've never seen dpkg-sig mentioned before, only debsigs, so I'm not familiar
with the tool itself, but the concept is one that needs a lot more exposure.
- Matt |
|
| Back to top |
|
|
Brian May
*nix forums Guru Wannabe
Joined: 27 Feb 2005
Posts: 109
|
| Posted: Tue Nov 22, 2005 11:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
| Quote: | "Matthew" == Matthew Palmer <mpalmer@debian.org> writes:
|
Matthew> I'm keenly interested in per-package signatures for
Matthew> Debian packages -- I think they're a great idea and it's
Matthew> a pity that they haven't received more interest.
Same here.
I would really like to see all packages signed, not just the source
code and not just the archive (if any) they came from.
I see advantages:
* ability to check downloaded binary package even if it no longer
exists in latest archive.
* ability to trace the source of a binary package in a secure way,
whether it was built by a maintainer, automatically built by an
autobuilder (which one?), or built by some 3rd party.
yes - I realize some people consider automatic signing by an
autobuilder to be "insecure" - however I think it is more secure
then not having any signature - when deciding on how much you trust
it you need to take into account the source. Besides, I believe the
archive is already signed automatically anyway.
* this can occur without trying to look up the *.changes file
(assuming it still exists - for packages never uploaded to Debian,
maybe not).
* others I am too lazy to think of.
Matthew> I've never seen dpkg-sig mentioned before, only debsigs,
Matthew> so I'm not familiar with the tool itself, but the concept
Matthew> is one that needs a lot more exposure.
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
--
Brian May <bam@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Marc 'HE' Brockschmidt
*nix forums beginner
Joined: 07 Apr 2005
Posts: 40
|
| Posted: Wed Nov 23, 2005 12:00 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
Heya,
After discussing this in IRC, we agreed that I give a short overview
about the important stuff. As I'm quite lazy, I'm quoting James Troup
for the history bits:
<elmo> was written for Ubuntu, specifically because they were activating
data.tar.bz2 support in debs. as a side effect it also enforced
certain constraints on the layout of .ars simply becuase of the way the
code was written. this was tested on everything in ubuntu and didn't
trip anything. the code got ported to Debian shortly before the
release of sarge
<elmo> at that point, it became apparent it broke dpkg-sig signed debs.
after various conversations, I disabled the check, because amongst
other things making changes like that just prior to release probably
wasn't clever. however, I didn't sufficently comment WHY the check was
deactivated in the code, I just said "till sarge is released" or
similar
<elmo> which is my bad, and I apologize. in any event, sarge has
obviously been and gone, and the check got re-enabled as part of a
cleanup of the code on sphor vs. cvs.
Today, some people ranted in IRC about the fact that packages with
binary signatures were rejected again. As I believed that someone
activated these checks while knowing that they break packages with
binary signatures, I was pretty pissed off. I remembered the comment to
be something like "breaks dpkg-sig, deactivated for now", but the CVS [1]
shows that was wrong. Anyway, I want to apologize for carrying this to
-devel directly.
OK, now to the good parts: Joerg Jaspert planned to provide a better
version of the problematic check anyway (also validating the binary
signatures) and will try to finish them as soon as possible. I'll try to
be useful in respect to that, at least as useful as I can be. And now
we're all happy again. Yay!
Marc
Footnotes:
[1] http://cvs.debian.org/dak/jennifer?root=dak&r1=1.56&r2=1.57
--
BOFH #139:
UBNC (user brain not connected) |
|
| Back to top |
|
|
Marc 'HE' Brockschmidt
*nix forums beginner
Joined: 07 Apr 2005
Posts: 40
|
| Posted: Wed Nov 23, 2005 12:20 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
Brian May <bam@debian.org> writes:
| Quote: | I've never seen dpkg-sig mentioned before, only debsigs,
so I'm not familiar with the tool itself, but the concept
is one that needs a lot more exposure.
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
|
No. dpkg-sig is a completly independent application (though some ideas
were taken from debsigs)
Marc
--
Fachbegriffe der Informatik - Einfach erklärt (120: INN 2.x)
INN 2.x ist wie Fertig-Spaghetti aus der Tüte. Schmeckt lecker und ist im
Grunde ganz einfach zuzubereiten. Trotzdem muß man ständig umrühren,
damit's nicht anbrennt. (Andreas M. Kirchwitz) |
|
| Back to top |
|
|
Matthew Palmer
*nix forums Guru Wannabe
Joined: 20 Feb 2005
Posts: 146
|
| Posted: Wed Nov 23, 2005 4:20 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, Nov 23, 2005 at 10:29:32AM +1100, Brian May wrote:
| Quote: | I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
|
As Mark said, it's not a name change. The FAQ on the dpkg-sig site
(http://dpkg-sig.turmzimmer.net/) has more info.
- Matt
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Florian Weimer
*nix forums Guru
Joined: 19 Feb 2005
Posts: 418
|
| Posted: Wed Nov 23, 2005 10:40 am Post subject:
Re: dpkg-sig support wanted?
|
|
|
* Marc Brockschmidt:
| Quote: | Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
|
This is a pity. I think dpkg-sig is an important step into the right
direction: providing more assurances about package integrity to our
users.
I'm confused about the status of the dak change, though. The dak
mirror on merkel does not show any modifiations of the jennifer script
since May 31. The diff at
<http://cvs.debian.org/dak/jennifer?root=dak&r1=1.56&r2=1.57> shows
that the additional check was *removed*, not *added* more than a week
ago. Therefore, the dak CVS does not reflect what's actually in
production use.
Since there is no way for Debian Developers to review the way Debian
packages are created (and it's totally out of question for end users),
something that provides DD-to-user package signatures at least in some
cases is very desirable indeed.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Anthony Towns
*nix forums Guru Wannabe
Joined: 06 Mar 2005
Posts: 274
|
| Posted: Wed Nov 23, 2005 4:20 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
| Quote: | * Marc Brockschmidt:
Today (or last night, whatever), the dak installation on ftp-master was
changed to not accept packages that include more than 3 parts, which are
usually the binary version and the compressed control and data
tarballs. This means that signed binary packages are rejected.
This is a pity. I think dpkg-sig is an important step into the right
direction: providing more assurances about package integrity to our
users.
|
Personally, I think it's cryptographic snake oil, at least in so far
as it relates to Debian. I remain interested in seeing any realistic
demonstration of how a Debian user could reasonably rely on them for
any practical assurance.
Yes; CVS was corrupted in May and hadn't been updated 'til the other
week. http://azure.humbug.org.au/~aj/blog/2005/11/16#2005-11-16-dak
| Quote: | Since there is no way for Debian Developers to review the way Debian
packages are created (and it's totally out of question for end users),
|
buildd.debian.org gives full logs, to developers or users.
| Quote: | something that provides DD-to-user package signatures at least in some
cases is very desirable indeed.
|
debian-devel-changes provides this.
Cheers,
aj |
|
| Back to top |
|
|
Jeroen van Wolffelaar
*nix forums Guru Wannabe
Joined: 06 Mar 2005
Posts: 144
|
| Posted: Wed Nov 23, 2005 4:40 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
| Quote: | As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
|
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
I'm not going to interpret these numbers, as it's close to impossible to
do so objectively.
--Jeroen
[1] Interested DD's can look into merkel:~jeroen/dpkg-sig how I got these
numbers
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Wed Nov 23, 2005 5:50 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
<jeroen@wolffelaar.nl> wrote:
| Quote: | On Tue, Nov 22, 2005 at 04:50:02PM +0100, Marc 'HE' Brockschmidt wrote:
As I'm responsible for most of dpkg-sig's code (and planned to do some
more work in the next two months) I'd like to know if anyone cares about
using these binary signatures or if I can invest my time into something
that's a bit more satisfying (== non-Debian stuff). As the ftp-masters
and the dpkg maintainers seem to have no interest in the whole thing,
I'm beginning to doubt that it's sensible to work on dpkg-sig.
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
|
So, most of the DD's do not care about security at all. Why does
Debian have a reputation of being so secure?
Otoh, what does the project gain by making 0.19 % of our debs in the
archive less secure than they are now? Are we that damager driven that
we deliberately reduce our security just to gain an uniform level?
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
|
Erinn Clark
*nix forums beginner
Joined: 24 Sep 2005
Posts: 17
|
| Posted: Wed Nov 23, 2005 6:00 pm Post subject:
Re: dpkg-sig support wanted?
|
|
|
* Marc Haber <mh+debian-devel@zugschlus.de> [2005:11:23 18:40 +0100]:
| Quote: | On Wed, 23 Nov 2005 17:34:41 +0100, Jeroen van Wolffelaar
Just to provide some statistics about dpkg-sig usage, as I got curious
about it too:
In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
are 8 distinct keys used for those 525 .deb's, seven of which correspond
to DD's[1].
So, most of the DD's do not care about security at all. Why does
Debian have a reputation of being so secure?
|
Yet just today you filed a bug (#340403) for documentation to be
included in the package since you were unable to explain dpkg-sig's
strengths. How is it possible for you to claim something is more secure
when you don't understand it well enough to say how it's different?
--
off the chain like a rebellious guanine nucleotide
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
Distributions
»
Debian
»
devel
