Debian using ed25519 APT repo meta data (Re: Ditching OpenPGP, a new approach to signing APT repositories)
Am Dienstag 29 Juni 2021 19:00:00 schrieb Konstantin Ryabitsev via Gnupg-users: > Yes, but speaking from personal experience, integrating libsodium into your > automation is significantly easier than almost any other option. Let Debian > folks do what makes most sense for their needs -- what they are doing is > certainly not wrong or heading in the wrong direction. Sure, there are enough reasons to not use a standardized "packaging" protocol. It comes with risks of course, but if it is well understood, it is much simpler. The problem with the draft wiki page is that others use it to push their agenda of antagonising OpenPGP and Debian without understanding the technical matter. So having giving more context and a better fitting headline would clarify this. Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
On Tue, Jun 29, 2021 at 05:53:53PM +0200, Bernhard Reiter wrote: > Am Dienstag 29 Juni 2021 14:44:39 schrieb Konstantin Ryabitsev via > Gnupg-users: > > With this change, they are replacing PGP with ed25519, but everything else > > remains pretty much the same > > But OpenPGP so much more than one algorithm, > you can even use ed25519 with OpenPGP today. Yes, but speaking from personal experience, integrating libsodium into your automation is significantly easier than almost any other option. Let Debian folks do what makes most sense for their needs -- what they are doing is certainly not wrong or heading in the wrong direction. -K ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
Am Dienstag 29 Juni 2021 14:44:39 schrieb Konstantin Ryabitsev via Gnupg-users: > With this change, they are replacing PGP with ed25519, but everything else > remains pretty much the same But OpenPGP so much more than one algorithm, you can even use ed25519 with OpenPGP today. (Again, probably because of the draft or work in progress status, maybe someone with write access to the wiki could clarify the headline.) Thanks for the infos, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
On Tue, Jun 29, 2021 at 08:37:56AM +0200, Bernhard Reiter wrote: > Am Sonntag 27 Juni 2021 18:56:15 schrieb Стефан Васильев via Gnupg-users: > > maybe interesting for some of you. > > https://wiki.debian.org/Teams/Apt/Spec/AptSign > > This does not have references on the problems it is claiming to address. > > No description of the context where it is supposed to be used > and what part it will play in the security. I can fill it in here a bit. Debian doesn't sign individual .deb packages, but instead signs APT repository metadata. Traditionally, a PGP key was used for this, with the public counterpart being distributed either via the distro media itself (e.g. iso images), or via https-based downloads. With this change, they are replacing PGP with ed25519, but everything else remains pretty much the same -- the signing is done by centralized distro infrastructure. > Also there is no mention of how the trust relation of the public > keys will be established. The same as before -- they are downloaded with iso images, or retrieved from the website via https. While there is no built-in mechanics for distributing key revocation for ed25519 keys, this was not really a consideration before either (even if you can publish a revocation certificate for a PGP key used for this purpose now, very few people will know what to do with it). > So not yet possible to evaluate the page, it looke like a 0.2 draft > in a wiki and probably gets to the point of being an interesting proposal > later. Most notably, "Ditching OpenPGP" is wildly inaccurate. OpenPGP is still used for all other Debian maintainer operations -- it's only being replaced in one small area where key management and trust were used in least PGP-like ways. -K ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
Am Sonntag 27 Juni 2021 18:56:15 schrieb Стефан Васильев via Gnupg-users: > maybe interesting for some of you. > https://wiki.debian.org/Teams/Apt/Spec/AptSign This does not have references on the problems it is claiming to address. No description of the context where it is supposed to be used and what part it will play in the security. Also there is no mention of how the trust relation of the public keys will be established. So not yet possible to evaluate the page, it looke like a 0.2 draft in a wiki and probably gets to the point of being an interesting proposal later. Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Ditching OpenPGP, a new approach to signing APT repositories
Hello, maybe interesting for some of you. https://wiki.debian.org/Teams/Apt/Spec/AptSign Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users