On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae <allan@archlinux.org> wrote:
On 30/04/10 01:29, Thomas Bächler wrote:
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date are still accepted, but newer ones aren't. I don't see this easily being implemented with PGP-Keys, but maybe someone else knows more.
You can't trust a package made with a compromised key just because it looks old. That can be falsified. Packages not affected should be resigned by another developer / the new developers key. I would still recompile them, though (withouth necessarily increasing the pkgrel).
You are right, if the key has been compromised, you can easily include a fake date. So upon revoking a key, all packages have to be re-signed.
This shows again that this is not a topic you can just solve by throwing some code at people. It needs a proper chain of trust and concepts to cover all cases - otherwise, it might be possible to compromise the system, giving users a false sense of security.
Has anyone had a good look at the other implementations of package signing (Debian, Fedora, ...) and made a summary of how they handle it?
This is also a resource worth consulting: http://www.cs.arizona.edu/stork/packagemanagersecurity/ -Dan