Comment 28 for bug 125103
Revision history for this message
| alsuren (alsuren) wrote Re: [Bug 125103] Re: ppa archives are not signed | #28 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Sunday 04 May 2008 17:42:16 Holy Cheater wrote:
> @alsuren:
> Sorry, I've missed the part about chosen-message attack.
> But still, key for each PPA would localize range of vulnerability to 1 PPA.
As I understand it, it would localize it to "users trusted to upload to that
PPA", which is dramatically smaller than "anyone in the world that has a
launchpad account".
> What about Martin Pool's idea of accessing ppa through https? Would it give
> protection from this type of attack?
I think so, but I don't know enough about the structure of apt. I suspect that
it might be possible to use a ppa to get an archive that's signed with a
trusted key, and then simply spoof DNS for any other archive that's not done
over https. Does apt-get warn the user if a repository's key changes from one
trusted key to another?
>still, it wouldn't give you any trust, it would just
> verify that you are you.
The concept of "trust" happens when the user adds your [archive] key to their
apt trusted keys list. They need to be able to place trust in a single person
or team, because trusting everyone on an open system would be worse than the
Windows situation of no trust at all.
Trust networks are pretty tricky to determine "this is safe". That's why you
always peer review them like this.