| 1 |
Marc Ballarin writes: |
| 2 |
|
| 3 |
> If a distributor promises package integrity through |
| 4 |
> signatures, they are lying. |
| 5 |
|
| 6 |
The signature doesn't promise that the package is "correct" |
| 7 |
in any sense of the word, but it guarantees that it is the |
| 8 |
same package Gentoo intended to distribute. |
| 9 |
|
| 10 |
If you don't see how that improves security, then I frankly |
| 11 |
don't know what else to say. |
| 12 |
|
| 13 |
|
| 14 |
> This might work for glibc (Don't know, really.). But it |
| 15 |
> certainly won't work for many other packages. |
| 16 |
|
| 17 |
Again, this problem is not about glibc, it is about making |
| 18 |
sure that data is distributed unmodified. I trust the Gentoo |
| 19 |
developers to take care that the software they package up is |
| 20 |
as secure as it can be. But I don't trust the Internet to |
| 21 |
give me the same package that the Gentoo developers uploaded |
| 22 |
to the main server. |
| 23 |
|
| 24 |
|
| 25 |
> My point being: Manipulations can be subtle |
| 26 |
|
| 27 |
Manipulations are impossible if the package is signed. |
| 28 |
|
| 29 |
|
| 30 |
> If you use signatures to verify a package, you have to |
| 31 |
> understand exactly what guarantees are given. |
| 32 |
|
| 33 |
I do. |
| 34 |
|
| 35 |
|
| 36 |
> The package or ebuild is identical to the version the |
| 37 |
> Gentoo developer signed, provided that his workstation |
| 38 |
> has not been compromised. |
| 39 |
|
| 40 |
> Nothing else is guaranteed. |
| 41 |
|
| 42 |
Then let's guarantee that and work from there, because |
| 43 |
without that guarantee every other security measure is |
| 44 |
pointless. |
| 45 |
|
| 46 |
Peter |
| 47 |
|
| 48 |
|
| 49 |
-- |
| 50 |
gentoo-security@g.o mailing list |
Archives