Re: Announcement: APT Secure
Drew Scott Daniels consulted the pineal gland: > Please see http://monk.debian.net/apt-secure/ for more information and > to download Debian packages. > There's also a mirror here: > http://people.debian.org/~walters/monk.debian.net/ are there plans to sign (with some given key, preferably one of yours on the keyring) the repository at http://monk.debian.net/debian/? other than that source, i've been able to update with no problems. how much testing has gone into testing badly-signed packages, or packages which are properly signed but don't match the latest Releases file (possible MiM attack where an old, vulnerable but signed package is substituted for the correct one)? is some needed? -- nick black <[EMAIL PROTECTED]> "np: nondeterministic polynomial-time the class of dashed hopes and idle dreams." - the complexity zoo
Re: Announcement: APT Secure
Drew Scott Daniels consulted the pineal gland: > Please see http://monk.debian.net/apt-secure/ for more information and > to download Debian packages. > There's also a mirror here: > http://people.debian.org/~walters/monk.debian.net/ are there plans to sign (with some given key, preferably one of yours on the keyring) the repository at http://monk.debian.net/debian/? other than that source, i've been able to update with no problems. how much testing has gone into testing badly-signed packages, or packages which are properly signed but don't match the latest Releases file (possible MiM attack where an old, vulnerable but signed package is substituted for the correct one)? is some needed? -- nick black <[EMAIL PROTECTED]> "np: nondeterministic polynomial-time the class of dashed hopes and idle dreams." - the complexity zoo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: > That answer is pretty easy to find, too. Look at the description of the > debian-keyring package. "The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and (deprecated) PGP keys of developers." Read literally, I guess you're saying the archive key isn't in there because it's not a developer's key. More broadly, though, if one of the goals of debian developers using gpg keys is "to protect against forgeries", and debian-keyring contains their keys to further this goal, and apt-secure is a further advancement of this same goal, then wouldn't debian-keyring be a logical way to distribute the archive's public key? Distributing the key this way would be akin to the way ssl CA certificates are distributed via the ca-certificates package. It's not perfect, but it's better than downloading the public key from the first hit your google search turns up. At least when it's distributed with the OS, you can compare your installed version with the one on an old CD or something. Jason
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: > That answer is pretty easy to find, too. Look at the description of the > debian-keyring package. "The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and (deprecated) PGP keys of developers." Read literally, I guess you're saying the archive key isn't in there because it's not a developer's key. More broadly, though, if one of the goals of debian developers using gpg keys is "to protect against forgeries", and debian-keyring contains their keys to further this goal, and apt-secure is a further advancement of this same goal, then wouldn't debian-keyring be a logical way to distribute the archive's public key? Distributing the key this way would be akin to the way ssl CA certificates are distributed via the ca-certificates package. It's not perfect, but it's better than downloading the public key from the first hit your google search turns up. At least when it's distributed with the OS, you can compare your installed version with the one on an old CD or something. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
On Mon, Jun 30, 2003 at 04:16:39PM +, Jason Lunz wrote: > [EMAIL PROTECTED] said: > >> Where should I get the key? And why isn't it in debian-keyring? I've got > >> the current sid version. > > > > http://www.debian.org/releases/ > > Well, that wasn't too hard to find, of course. The "where" question was > mostly rhetorical. More importantly, why on earth isn't the archive > master key in debian-keyring? That answer is pretty easy to find, too. Look at the description of the debian-keyring package. -- - mdz
Re: Announcement: APT Secure
On Mon, Jun 30, 2003 at 04:16:39PM +, Jason Lunz wrote: > [EMAIL PROTECTED] said: > >> Where should I get the key? And why isn't it in debian-keyring? I've got > >> the current sid version. > > > > http://www.debian.org/releases/ > > Well, that wasn't too hard to find, of course. The "where" question was > mostly rhetorical. More importantly, why on earth isn't the archive > master key in debian-keyring? That answer is pretty easy to find, too. Look at the description of the debian-keyring package. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: >> Where should I get the key? And why isn't it in debian-keyring? I've got >> the current sid version. > > http://www.debian.org/releases/ Well, that wasn't too hard to find, of course. The "where" question was mostly rhetorical. More importantly, why on earth isn't the archive master key in debian-keyring? Jason
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: >> Where should I get the key? And why isn't it in debian-keyring? I've got >> the current sid version. > > http://www.debian.org/releases/ Well, that wasn't too hard to find, of course. The "where" question was mostly rhetorical. More importantly, why on earth isn't the archive master key in debian-keyring? Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
On Fri, Jun 27, 2003 at 02:15:12PM +, Jason Lunz wrote: > [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys > Archive > gpg: error reading key: public key not found > > Where should I get the key? And why isn't it in debian-keyring? I've got > the current sid version. http://www.debian.org/releases/ -- - mdz
Re: Announcement: APT Secure
On Fri, Jun 27, 2003 at 02:15:12PM +, Jason Lunz wrote: > [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys Archive > gpg: error reading key: public key not found > > Where should I get the key? And why isn't it in debian-keyring? I've got > the current sid version. http://www.debian.org/releases/ -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: > This is a call to the community to help test and audit this patch to > APT, and to eventually participate in the policy discussion about the > patch. > > Please see http://monk.debian.net/apt-secure/ for more information and > to download Debian packages. I'm trying the instructions there, but the gpg commands for making /etc/apt/trusted.gpg fail because the debian archive key isn't in debian-keyring: [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys Walters pub 1024D/6A765865 2001-09-29 Colin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uid[jpeg image of size 6059] uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> sub 1024g/96D4E127 2001-09-29 [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys Archive gpg: error reading key: public key not found Where should I get the key? And why isn't it in debian-keyring? I've got the current sid version. Jason
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: > This is a call to the community to help test and audit this patch to > APT, and to eventually participate in the policy discussion about the > patch. > > Please see http://monk.debian.net/apt-secure/ for more information and > to download Debian packages. I'm trying the instructions there, but the gpg commands for making /etc/apt/trusted.gpg fail because the debian archive key isn't in debian-keyring: [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys Walters pub 1024D/6A765865 2001-09-29 Colin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uid[jpeg image of size 6059] uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> uidColin Walters <[EMAIL PROTECTED]> sub 1024g/96D4E127 2001-09-29 [orr](0) # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-keys Archive gpg: error reading key: public key not found Where should I get the key? And why isn't it in debian-keyring? I've got the current sid version. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Announcement: APT Secure
The original anouncment was on debian-devel and can be seen in the archives here: http://lists.debian.org/debian-devel/2003/debian-devel-200306/msg01655.html To: Debian Developers <[EMAIL PROTECTED]> Subject: Announcement: APT Secure From: Isaac Jones <[EMAIL PROTECTED]> Date: Thu, 26 Jun 2003 10:30:02 -0400 Message-id: <[EMAIL PROTECTED]> Old-return-path: <[EMAIL PROTECTED]> User-agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) Greetings :) "APT Secure" is the working name of a project to add to APT the ability to verify the authenticity of Debian packages. It accomplishes this via a chain of trust which is initiated by the package maintainers and ends on the installing machine. This is a call to the community to help test and audit this patch to APT, and to eventually participate in the policy discussion about the patch. Please see http://monk.debian.net/apt-secure/ for more information and to download Debian packages. There's also a mirror here: http://people.debian.org/~walters/monk.debian.net/ peace, Isaac & Colin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Announcement: APT Secure
The original anouncment was on debian-devel and can be seen in the archives here: http://lists.debian.org/debian-devel/2003/debian-devel-200306/msg01655.html To: Debian Developers Subject: Announcement: APT Secure From: Isaac Jones <[EMAIL PROTECTED]> Date: Thu, 26 Jun 2003 10:30:02 -0400 Message-id: <[EMAIL PROTECTED]> Old-return-path: <[EMAIL PROTECTED]> User-agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) Greetings :) "APT Secure" is the working name of a project to add to APT the ability to verify the authenticity of Debian packages. It accomplishes this via a chain of trust which is initiated by the package maintainers and ends on the installing machine. This is a call to the community to help test and audit this patch to APT, and to eventually participate in the policy discussion about the patch. Please see http://monk.debian.net/apt-secure/ for more information and to download Debian packages. There's also a mirror here: http://people.debian.org/~walters/monk.debian.net/ peace, Isaac & Colin