The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC: Proposal for signed packages

To: debian-private@lists.debian.org
Subject: RFC: Proposal for signed packages
From: Enrique Zanardi <ezanardi@molec1.dfis.ull.es>
Date: Tue, 11 Feb 1997 19:18:09 +0000 (WET)
Importance: low
Priority: non-urgent
Reply-to: Enrique Zanardi <ezanardi@molec1.dfis.ull.es>
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"D-9ju.0.kw1.uTC0p"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org
Sender: ezanardi@remoto

(Warning: This is not intended as a replacement for per-file md5sums. 
Each proposal addresses different (but related) problems.)

Recently we have been discussing about the convenience of having 
PGP-signed debian packages to prevent the installation of a
'virus' or a trojan. 

At the end of this letter, I have attached two scripts that implement 
this, without breaking the compatibility with our current dpkg and 
related tools. There's no need to change our current tools, or
suddenly replace all of our packages to implement this proposal. 
dpkg will handle 'signed' packages as well as 'unsigned' ones.

Also, there's no new procedure for the mantainers to build their
packages. They don't have to sign their packages. 

Let me outline the problem first:

The scenario is that of a compromised mirror site that carries a
trojanized version of one Debian package. Any unaware administrator
may download that and 'infect' his system without notice.
Of course, with the help of a per-file md5sums database he
will know the extension of the infection, and will know which
packages to reinstall, but this is not the best answer for
somebody who has to stop his mission-critical system for 
several hours while he checks, fetch and reinstall.
It would be nice if he could check before that the package he is 
going to install is the 'official' one. 

This is the problem this proposal tries to solve.

The proposal itself:

- The Debian project should have a PGP key pair.

- One Debian developer should be choosen to sign with that key every
new release of a package. (Perhaps Guy Maor, via his dinstall script?).

- 'To sign a package', in this proposal, means to sign the 
control.tar.gz and data.tar.gz in the binary package, making a detached
signature that will be added to the package, in a way compatible
with the current format of binary packages. The new (signed) package
will be handled by the same tools we use now. No modification to
this tools will be required.

- This signature would be easily extracted from the package, when
required to check the integrity of the package contents.

This proposal has the advantage that the information to check
the integrity of the package is carried around with the package
so you don't have to search it elsewhere. For a typical PGP
key (1024 bytes) the size of the package is increased in only
212 bytes. Also, the administrator only have to trust the Debian
project public key, that may be obtained directly from www.debian.org
or with the distribution, and may carry more than 200 signatures
certifying its authenticity.

And now the scripts. The first one is used to sign the package
and may be called from the dinstall script, to sign automatically
every new package installed in the distribution. It signs the
package with the userid defined in the variable MY_id.

The second is used to check the integrity of a signed package.
It only checks that the signature in the package matches the
package contents. It does not verify (yet) the identity of
the signatory.  In its current incarnation it looks for Debian's 
public key in the file defined in the variable PUBRING.

Any comments or criticism on this will be strongly appreciated.


--
Enrique Zanardi                                ezanardi@molec1.dfis.ull.es
Dpto. Fisica Fundamental y Experimental
Univ. de La Laguna

Attachment: sign-package.sh
Description: Bourne shell script

Attachment: check-signature.sh
Description: Bourne shell script

Follow-Ups:
- Re: RFC: Proposal for signed packages
  - From: Nicolás Lichtmaier <nick@feedback.com.ar>
- Re: RFC: Proposal for signed packages
  - From: Christoph <debian@waterf.org>
- Re: RFC: Proposal for signed packages
  - From: Guy Maor <maor@ece.utexas.edu>
- Re: RFC: Proposal for signed packages
  - From: Christian Leutloff <leutloff@sundancer.tng.oche.de>

Prev by Date: Re: Maintainer needed for PGP, and other packages
Next by Date: Re: RFC: Proposal for signed packages
Previous by thread: Re: Serious holes
Next by thread: Re: RFC: Proposal for signed packages
Index(es):
- Date
- Thread