Web lists-archives.com

Re: Q: Where is keyring packaging guideline?




On Tue, Aug 21, 2018 at 01:39:29PM +0800, Paul Wise wrote:
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
> 
> > I want to make 3rd party keyring package (ITP). In the advance, I
> > want to know a best practice about *keyring* packaging. Any hints?
> 
> >   sudo apt install -y -V --allow-unauthenticated foobar-keyring
> >   This is reasonable because there is no correct key yet before
> >   installing it.
> 
> I don't think this is appropriate at all. Instead, always use an
> out-of-band mechanism for confirming the appropriate OpenPGP keys.
> Having the keyring package in Debian itself is a good idea, but at
> very bare minimum, download the key or fingerprint from a website that
> uses a valid TLS certificate according to the X.509 CA trust model.

Uh, what?

You do realize that the CA cartel model is security theatre, intentionally
subverted to provide so-called "responsible encryption"?  To break it, you
need to either:
* control _any_ of thousands of CAs (not merely roots), many of which have
  already been caught issuing MITM certs or are otherwise well-known to be
  conducting massive scale MITM by other means.  Some of those were papered
  over as "it was just a honest error, we swear!", some led to removal from
  ca-certificates -- all while multiple other CAs controlled by the same
  government are still there.
* get hold of a SSL private key.  Unlike gpg which can be done offline, SSL
  keys must be available on every front-end server all the time.

Thus, having a trust anchor provided in the Debian archive would be a
massive improvement.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition:
⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal [Mt3:16-17]
⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs [Mt14:17-20, Mt15:34-37]
⠈⠳⣄⠀⠀⠀⠀ • use glitches to walk on water [Mt14:25-26]