Baltix

Bug #125103
Comment #40

Comment 40 for bug 125103

Revision history for this message

Chuck Renner (chuckrenner) wrote on 2008-07-02:

#40

Here is my two cents worth on the following:
> 4.
> Repository-signing should be done by launchpad with one separate key per user- and group-repository!
> It would mean that we trust the launchpad distribution system. Unless you host your own repository on your own computer and mirror that on the net, you always have to
> trust the repository-hoster...
> A less comfortable but more secure way to go would be to commit every upload, by unlocking the signing-key stored on launchpad each time a package should be committed
> to the repository.
> I think it is enough to trust the users package-signature and let launchpad do the repository-signing-stuff without interaction...

I agree that a developer should not have to generate another set of keys for launchpad. The one he uses should be the only one he has. The server should automatically generate a keypair for each developer/team, and should automatically sign the generated binary packages on behalf of the user or team that uploaded the source.

HOWEVER, I have two caveats (and I feel they are critical):

First, the launchpad user should have to sign the public key of the ppa server for his account, to acknowledge that he/she trusts it! He or she could sign the server's public key for his or her ppa, after verifying the fingerprint of the same public key. This signature should be exportable, so that the "web of trust" concept can work, and a user that places full trust in a launchpad user will effectively place trust in the server's generated files on his behalf.

Second, the launchpad user should automatically be granted revoker rights on the Private key for the server's ppa. This way, if his launchpad account has been compromised, or if the developer loses faith/trust in the server, he can revoke not only his signature on the server's key, but also actually revoke the server's public key for his PPA as well. This is fair, considering that the server is effectively signing code on his behalf (so he should have the ability to automatically stop this at any time). The user can then upload his revocation certificate to both launchpad, and if desired, to other key servers as well. It is relatively easy to grant revoker rights to a user, and launchpad does not need to reveal the private key to anyone, including the user himself.

Everything I mentioned above can either be completely automated, or mostly automated.

I agree that a developer should not have to generate another set of keys for launchpad.  The one he uses should be the only one he has.  The server should automatically generate a keypair for each developer/team, and should automatically sign the generated binary packages on behalf of the user or team that uploaded the source.

HOWEVER, I have two caveats (and I feel they are critical):

First, the launchpad user should have to sign the public key of the ppa server for his account, to acknowledge that he/she trusts it!  He or she could sign the server's public key for his or her ppa, after verifying the fingerprint of the same public key.  This signature should be exportable, so that the "web of trust" concept can work, and a user that places full trust in a launchpad user will effectively place trust in the server's generated files on his behalf.

Second, the launchpad user should automatically be granted revoker rights on the Private key for the server's ppa.  This way, if his launchpad account has been compromised, or if the developer loses faith/trust in the server, he can revoke not only his signature on the server's key, but also actually revoke the server's public key for his PPA as well.  This is fair, considering that the server is effectively signing code on his behalf (so he should have the ability to automatically stop this at any time).  The user can then upload his revocation certificate to both launchpad, and if desired, to other key servers as well.  It is relatively easy to grant revoker rights to a user, and launchpad does not need to reveal the private key to anyone, including the user himself.

Everything I mentioned above can either be completely automated, or mostly automated.