Comment 27 for bug 125103
Revision history for this message
| Bryan Donlan (bdonlan) wrote Re: [Bug 125103] Re: ppa archives are not signed | #27 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Sun, May 04, 2008 at 04:42:16PM -0000, Holy Cheater wrote:
> @alsuren:
> Sorry, I've missed the part about chosen-message attack.
> But still, key for each PPA would localize range of vulnerability to 1 PPA.
> What about Martin Pool's idea of accessing ppa through https? Would it give protection from this type of attack?
Yes, having /different/ keys for each PPA helps prevent the attack. And
https should block this particular attack, but it won't shut up APT :)
>
> > The whole point of signed archives is for users to place their trust in developers, so they don't *have* to individually check each package. If Debian didn't > consider this important, they would have opted for simple md5sums.
> I didn't use Debian, but are their repositories open for anyone to upload like ppa?
> And again: signing archive with your key means you are identifying yourself to build system, and signing the whole archive(repository) by server which holds it - is identifying integrity and source of data, as mentioned earlier.
> You can make your own archive on own server and sign it - still, it wouldn't give you any trust, it would just verify that you are you.
Correct; however, in order to have trust, first one must have identity.
If I decide to trust you, it does no good at all unless I can verify
your packages really came from you.
For example: If the Kubuntu team decides to make a PPA for, say, the KDE
4.1 alphas, I might decide I trust them. In that case I should be able
to add their specific PPA key to my keyring so I trust their packages -
without worrying about DNS hijacking attacks. This is only possible with
seperate keys for each PPA.