On Tue, Apr 7, 2009 at 4:13 PM, Christian Robottom Reis <[email protected]> wrote: > Just to clear some potention confusion: > > On Tue, Apr 07, 2009 at 03:00:39PM -0300, Celso Providelo wrote: >> > In my eyes this is weird behaviour. If I'm correctly signing packages >> > has the purpose of making sure the package was really added by the >> > maintainer of the repository and allowing you to track down the >> > credibility of that person or team via his/her/their key. >> > We don't use keys to prove that package X from repository Y comes from >> > repository Y. This, however, is what Launchpad is doing at the moment. > > I'm not sure why you say you don't use keys to prove that package X > comes from repository Y -- that is exactly what we use signed archives > for: to avoid the risk of a MITM impersonation of an archive.
Sense's point is that if you trust person A publication of package X in the repository Y why wouldn't you trust A publishing package W in repository Z. You trust A doesn't matter 'what' and 'where'. The MITM protection is indirect, since what is being authenticated with signing-keys is the content being published, not necessarily the location where they are published. If a pristine copy of the repository is published on a DNS poisoned location it should be fine from apt's PoV, even if it's considered a MITM. Apt would only complain if the repository contents changes, for instance, a deb gets replaced by a compromised version. This is the aspect that allows mirroring repositories without getting into the complexity of re-authenticating their contents. -- Celso Providelo <[email protected]> IRC: cprov, Jabber: [email protected], Skype: cprovidelo 1024D/681B6469 C858 2652 1A6E F6A6 037B B3F7 9FF2 583E 681B 6469 _______________________________________________ Mailing list: https://launchpad.net/~launchpad-users Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-users More help : https://help.launchpad.net/ListHelp
