The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: Proposal for signed packages

Let's do it that way. This is fully transparent for existing packages
and only requires Guy to change his moving stuff into the
distribution. We should generate a DEBIAN PGP signature and sign every
package with the private key. The public key can be stored in
/usr/doc/debian for verification. Future dpkg releases could check for
this signature.

On Tue, 11 Feb 1997, Enrique Zanardi wrote:

ezanardi >(Warning: This is not intended as a replacement for per-file md5sums. 
ezanardi >Each proposal addresses different (but related) problems.)
ezanardi >
ezanardi >Recently we have been discussing about the convenience of having 
ezanardi >PGP-signed debian packages to prevent the installation of a
ezanardi >'virus' or a trojan. 
ezanardi >
ezanardi >At the end of this letter, I have attached two scripts that implement 
ezanardi >this, without breaking the compatibility with our current dpkg and 
ezanardi >related tools. There's no need to change our current tools, or
ezanardi >suddenly replace all of our packages to implement this proposal. 
ezanardi >dpkg will handle 'signed' packages as well as 'unsigned' ones.
ezanardi >
ezanardi >Also, there's no new procedure for the mantainers to build their
ezanardi >packages. They don't have to sign their packages. 
ezanardi >
ezanardi >Let me outline the problem first:
ezanardi >
ezanardi >The scenario is that of a compromised mirror site that carries a
ezanardi >trojanized version of one Debian package. Any unaware administrator
ezanardi >may download that and 'infect' his system without notice.
ezanardi >Of course, with the help of a per-file md5sums database he
ezanardi >will know the extension of the infection, and will know which
ezanardi >packages to reinstall, but this is not the best answer for
ezanardi >somebody who has to stop his mission-critical system for 
ezanardi >several hours while he checks, fetch and reinstall.
ezanardi >It would be nice if he could check before that the package he is 
ezanardi >going to install is the 'official' one. 
ezanardi >
ezanardi >This is the problem this proposal tries to solve.
ezanardi >
ezanardi >The proposal itself:
ezanardi >
ezanardi >- The Debian project should have a PGP key pair.
ezanardi >
ezanardi >- One Debian developer should be choosen to sign with that key every
ezanardi >new release of a package. (Perhaps Guy Maor, via his dinstall script?).
ezanardi >
ezanardi >- 'To sign a package', in this proposal, means to sign the 
ezanardi >control.tar.gz and data.tar.gz in the binary package, making a detached
ezanardi >signature that will be added to the package, in a way compatible
ezanardi >with the current format of binary packages. The new (signed) package
ezanardi >will be handled by the same tools we use now. No modification to
ezanardi >this tools will be required.
ezanardi >
ezanardi >- This signature would be easily extracted from the package, when
ezanardi >required to check the integrity of the package contents.
ezanardi >
ezanardi >This proposal has the advantage that the information to check
ezanardi >the integrity of the package is carried around with the package
ezanardi >so you don't have to search it elsewhere. For a typical PGP
ezanardi >key (1024 bytes) the size of the package is increased in only
ezanardi >212 bytes. Also, the administrator only have to trust the Debian
ezanardi >project public key, that may be obtained directly from www.debian.org
ezanardi >or with the distribution, and may carry more than 200 signatures
ezanardi >certifying its authenticity.
ezanardi >
ezanardi >And now the scripts. The first one is used to sign the package
ezanardi >and may be called from the dinstall script, to sign automatically
ezanardi >every new package installed in the distribution. It signs the
ezanardi >package with the userid defined in the variable MY_id.
ezanardi >
ezanardi >The second is used to check the integrity of a signed package.
ezanardi >It only checks that the signature in the package matches the
ezanardi >package contents. It does not verify (yet) the identity of
ezanardi >the signatory.  In its current incarnation it looks for Debian's 
ezanardi >public key in the file defined in the variable PUBRING.
ezanardi >
ezanardi >Any comments or criticism on this will be strongly appreciated.

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
Please always CC me when replying to posts on mailing lists.