[arch-general] Package signing
Allan McRae
allan at archlinux.org
Thu Apr 29 17:40:49 CEST 2010
On 30/04/10 01:29, Thomas Bächler wrote:
> Am 29.04.2010 00:36, schrieb Linas:
>> Thomas Bächler wrote:
>>> We must have a system that allows pacman to automatically verify new
>>> developer keys and revoke old ones ... even more important, revoke them
>>> in a way that signatures made before a certain date are still accepted,
>>> but newer ones aren't.
>>> I don't see this easily being implemented with PGP-Keys, but maybe
>>> someone else knows more.
>>>
>>
>> You can't trust a package made with a compromised key just because it
>> looks old. That can be falsified.
>> Packages not affected should be resigned by another developer / the new
>> developers key.
>> I would still recompile them, though (withouth necessarily increasing
>> the pkgrel).
>
> You are right, if the key has been compromised, you can easily include a
> fake date. So upon revoking a key, all packages have to be re-signed.
>
> This shows again that this is not a topic you can just solve by throwing
> some code at people. It needs a proper chain of trust and concepts to
> cover all cases - otherwise, it might be possible to compromise the
> system, giving users a false sense of security.
Has anyone had a good look at the other implementations of package
signing (Debian, Fedora, ...) and made a summary of how they handle it?
More information about the arch-general
mailing list