On 12/18/2012 06:07 AM, KP Kirchdoerfer wrote: > Hi Erich; > > Am 16.12.2012 19:50, schrieb Erich Titl: >> Hi KP >> >> Am 16.12.2012 11:12, schrieb KP Kirchdoerfer: >>> Am 15.12.2012 23:14, schrieb Erich Titl: >>>> Hi KP >>>> >>>> Am 15.12.2012 19:54, schrieb KP Kirchdoerfer: >>>>> Hi; >>>>> >>>>> I did some work on Trac ticket 57 "add gpg signing of packages", and >>>>> like to discuss, what I've done so far. >>>> >>>> Will it still be possible to load unsigned packages? >>> >>> Yes. Currently verify is not integrated into the install or update commands. >>> The user *can* download a gpg signature file for a given lrp and verify >>> the package before he installs/updates it. It's recommended, but >>> everything else will work as before. >> >> I have a few more doubts >> >> If the verify mechanism is built into config.lrp then it is easy to >> circumvent it, by just disabling it there. This is even easier than in >> in initrd. > > The idea is to follow this route: > http://www.apache.org/dev/release-signing.html > > It does need a web-of-trust, which has not been established. > So the security is related, to the web-of-trust and the strength of the > developers key.
KP, It sounds like a keysigning party is on the horizon for leaf. https://www.google.com/search?q=web+of+trust+key+signing >> Unfortunately I believe if such a mechanism is easy to break it is of no >> great value. > > It shouldn't be that easy to break it. > A first value is that we start to 17 month ticket :) > >> If we want this to succeed we need to build some kind of a >> chain of trust and enforce the use of signed packages. If someone wants >> tu build his own package he has to be a member of this chain of trust. > > Keep in mind, it's also possible to install lrp's with a simple tar > command or in the case of initrd with only little more work, if someone > opens a backdoor to your router. So enforcing the use of signed packages > with apkg makes things harder and is no big win at all. > > >> The program to verify the signature _must_ be signed itself, not only >> the package. > > Don't understand. Can you please explain? -- Mike Noyes http://sourceforge.net/users/mhnoyes https://plus.google.com/u/0/113364780158082152468 ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
