Re: Package signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 30/04/10 01:29, Thomas Bächler wrote:
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date are still accepted,
but newer ones aren't.
I don't see this easily being implemented with PGP-Keys, but maybe
someone else knows more.


You can't trust a package made with a compromised key just because it
looks old. That can be falsified.
Packages not affected should be resigned by another developer / the new
developers key.
I would still recompile them, though (withouth necessarily increasing
the pkgrel).

You are right, if the key has been compromised, you can easily include a
fake date. So upon revoking a key, all packages have to be re-signed.

This shows again that this is not a topic you can just solve by throwing
some code at people. It needs a proper chain of trust and concepts to
cover all cases - otherwise, it might be possible to compromise the
system, giving users a false sense of security.

Has anyone had a good look at the other implementations of package signing (Debian, Fedora, ...) and made a summary of how they handle it?



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux