On Wed, Sep 05, 2007 at 02:48:39PM +0300, Sami Liedes wrote: > On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote: > > > What about the following? An Application Manager asks his/hers New > > Maintainer applicant to sign the source packages, or more generally one > > provides source packages on ones website, and publish the key with which > > they were signed. (See also <http://mentors.debian.net>.) Doesn't the > > current behaviour exactly fit these purposes? > > Ah, ok, I probably misunderstood it's purpose then if it doesn't > intend to verify that it's signed by a DD. > > However, it still fails to do what you describe: The .dsc can be > signed by *anyone* whose key I happen to have in my keyring, not only > by the person in the Maintainer: field, without giving any clue to > whose signature the .dsc has. I can't think what that's good for.
Krhm. It seems I got ignored after first misunderstanding the intent
of the programmer even if his code doesn't work.
Even at the risk of being flamed at, I need to point out that this is
still a very real security bug. apt purpots to verify something
gpg-wise, but utterly fails. I guess we are lucky it's not very
verbose about its attempt to verify so there's hope nobody trusts it,
but that's just a partial defense. As I pointed out in my previous
mail, the fact that a key exists in some user's public key ring simply
does not imply any trust at all. Allowing anyone's valid signature in
the .dsc, not only the maintainer's, is just plain broken behavior.
Sami
signature.asc
Description: Digital signature
