1 |
Marc Ballarin writes: |
2 |
|
3 |
> If a distributor promises package integrity through |
4 |
> signatures, they are lying. |
5 |
|
6 |
The signature doesn't promise that the package is "correct" |
7 |
in any sense of the word, but it guarantees that it is the |
8 |
same package Gentoo intended to distribute. |
9 |
|
10 |
If you don't see how that improves security, then I frankly |
11 |
don't know what else to say. |
12 |
|
13 |
|
14 |
> This might work for glibc (Don't know, really.). But it |
15 |
> certainly won't work for many other packages. |
16 |
|
17 |
Again, this problem is not about glibc, it is about making |
18 |
sure that data is distributed unmodified. I trust the Gentoo |
19 |
developers to take care that the software they package up is |
20 |
as secure as it can be. But I don't trust the Internet to |
21 |
give me the same package that the Gentoo developers uploaded |
22 |
to the main server. |
23 |
|
24 |
|
25 |
> My point being: Manipulations can be subtle |
26 |
|
27 |
Manipulations are impossible if the package is signed. |
28 |
|
29 |
|
30 |
> If you use signatures to verify a package, you have to |
31 |
> understand exactly what guarantees are given. |
32 |
|
33 |
I do. |
34 |
|
35 |
|
36 |
> The package or ebuild is identical to the version the |
37 |
> Gentoo developer signed, provided that his workstation |
38 |
> has not been compromised. |
39 |
|
40 |
> Nothing else is guaranteed. |
41 |
|
42 |
Then let's guarantee that and work from there, because |
43 |
without that guarantee every other security measure is |
44 |
pointless. |
45 |
|
46 |
Peter |
47 |
|
48 |
|
49 |
-- |
50 |
gentoo-security@g.o mailing list |