© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Alexandre Vassalotti: it would be trivial to attack any system that uses the PPA if it had a master key:
1) create a throw-away account, and get a PPA account.
2) upload a source package named kde4-core that does Bad Things to the user's machine.
3) get that package back off the server.
4) spoof the DNS records of ppa.launchpad.net, so that it points to your own server.
5) wait for someone to try upgrading kde4-core
6) watch the Bad Things happen to the user's machine.
@Dave Walker: How does your mirror and sign script verify that nobody is spoofing the PPA server when you run your script? (and therefore getting you to sign arbitrary binaries)
What would be really nice is if you could have this situation:
* I always sign all of my source packages with my private key. (call this private_alsuren).
* The PPA servers keep a different private key for me (call this ppa_alsuren). I cannot access this key myself: it is only accessible by the build service.
* When a source package is uploaded, and signed with private_alsuren, the corresponding binary package is automatically signed with ppa_alsuren.
* My PPA automatically contains a package called ppa-alsuren-
This means that: I can just make all of my packages depend on ppa-alsuren-
For team archives, ppa-kubuntu-
The kde4 guys can make users apt-get install ppa-kubuntu-
The core ubuntu devs can create ppa-kubuntu-
This is both more convenient for users than the current system, and less trivial to attack than Alexandre Vassalotti's system. If anyone thinks of a possible way to attack my system (short of rooting the PPA signing server, or the developer's box) please reply here.
David.