Re: Q: Where is keyring packaging guideline?
- Date: Tue, 21 Aug 2018 14:32:05 +0300
- From: Adrian Bunk <bunk@xxxxxxxxxx>
- Subject: Re: Q: Where is keyring packaging guideline?
On Tue, Aug 21, 2018 at 01:39:29PM +0800, Paul Wise wrote:
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
> > So, I plan to make one more 3rd party keryring into Debian.
> That seems like a reasonable way to provide a secure mechanism to install it.
This would actually compromise the security of Debian,
Debian is as secure as the weakest 3rd party keyring
emdebian-archive-keyring  is a good example:
Key in wheezy was compromised in 2014.
Key revoke was uploaded to unstable in 2014.
wheezy was security-supported until 2016.
wheezy was LTS-supported until 2018.
The known-compromised key is still in wheezy.
For keeping Debian secure with 3rd party keyrings we would have to
run a CA that verifies that a key is trustworthy, and issues a DSA
if a 3rd party keyring is no longer considered secure.
For some few projects like Ubuntu/Mozilla/Tor we might trust that their
security practices are not worse than the security practices of Debian,
so except for the "belongs into Debian itself" point these might end
up being considered OK.
Creating a chain of trust to random keys ITP'ed into Debian is just
outright dangerous - the risk is too high that the private key either
gets accidentally compromised (see Emdebian) or intentionally planted
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed