Web lists-archives.com

Re: Q: Where is keyring packaging guideline?




On Tue, Aug 21, 2018 at 01:39:29PM +0800, Paul Wise wrote:
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
>...
> > So, I plan to make one more 3rd party keryring into Debian.
> 
> That seems like a reasonable way to provide a secure mechanism to install it.

This would actually compromise the security of Debian,
Debian is as secure as the weakest 3rd party keyring
in Debian.

emdebian-archive-keyring [1] is a good example:
Key in wheezy was compromised in 2014.
Key revoke was uploaded to unstable in 2014.
wheezy was security-supported until 2016.
wheezy was LTS-supported until 2018.
The known-compromised key is still in wheezy.

For keeping Debian secure with 3rd party keyrings we would have to 
run a CA that verifies that a key is trustworthy, and issues a DSA
if a 3rd party keyring is no longer considered secure.

For some few projects like Ubuntu/Mozilla/Tor we might trust that their 
security practices are not worse than the security practices of Debian, 
so except for the "belongs into Debian itself" point these might end
up being considered OK.

Creating a chain of trust to random keys ITP'ed into Debian is just 
outright dangerous - the risk is too high that the private key either 
gets accidentally compromised (see Emdebian) or intentionally planted 
(see NSA/FBI/GCHQ/FSB/...).

> bye,
> pabs

cu
Adrian

[1] https://tracker.debian.org/pkg/emdebian-archive-keyring

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed