On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae <allan@xxxxxxxxxxxxx> wrote: > On 30/04/10 01:29, Thomas Bächler wrote: >> >> Am 29.04.2010 00:36, schrieb Linas: >>> >>> Thomas Bächler wrote: >>>> >>>> We must have a system that allows pacman to automatically verify new >>>> developer keys and revoke old ones ... even more important, revoke them >>>> in a way that signatures made before a certain date are still accepted, >>>> but newer ones aren't. >>>> I don't see this easily being implemented with PGP-Keys, but maybe >>>> someone else knows more. >>>> >>> >>> You can't trust a package made with a compromised key just because it >>> looks old. That can be falsified. >>> Packages not affected should be resigned by another developer / the new >>> developers key. >>> I would still recompile them, though (withouth necessarily increasing >>> the pkgrel). >> >> You are right, if the key has been compromised, you can easily include a >> fake date. So upon revoking a key, all packages have to be re-signed. >> >> This shows again that this is not a topic you can just solve by throwing >> some code at people. It needs a proper chain of trust and concepts to >> cover all cases - otherwise, it might be possible to compromise the >> system, giving users a false sense of security. > > Has anyone had a good look at the other implementations of package signing > (Debian, Fedora, ...) and made a summary of how they handle it? This is also a resource worth consulting: http://www.cs.arizona.edu/stork/packagemanagersecurity/ -Dan
