Baltix

Bug #125103
Comment #46

Comment 46 for bug 125103

Revision history for this message

Chuck Renner (chuckrenner) wrote on 2008-08-31:

#46

I still stand by my original two points:
* A ppa uploader should have to have the server generate a key that the server will use to sign packages created by the server specifically for his/her PPA acount.
* A ppa uploader should have the ability to revoke his signature on the server. If apt does not support revocation certificate lists, it should. This is an important and critical part of any Public Key Infrastructure (PKI) system.

This would accomplish the following:
* Each PPA uploader would have a key for their selves
* Each PPA uploader would request the server to generate a keypair for the purpose of signing automatically generated packages by the server.
* The PPA uploader would sign the generated public key of the server for their account, indicating his trust, and indicating others can rely on his signature for trust (an exportable signature).
* Using the "web of trust" model, a user that trusts the PPA uploader, would in-turn be able to automatically trust the server-signed packages
* Complete automation for installations from PPA archives is possible this way!
* It uses the fundamental design principals of PKI. This method is not new. It is identical to the "web of trust" idea that was implemented by Phillip Zimmerman in PGP many years ago, and which was used as the basis for GNU Privacy Guard (GPG).

The reason that this particular method is important to use is that end-users should not be forced to trust ALL PPA packages. Many of them are probably completely unsafe, and it is very easy for a user with malicious intent to create a PPA account. It makes no sense to me to create one key used to sign all PPA packages. This could easily be exploited by malicious scripts to download malicious PPA packages.

I would not endorse or recommend and method that uses a single key for the entire PPA server. It breaks all of the fundamental purposes of code-signing, and becomes an instant security hole for every PPA end-user. I don't know why we would even consider using a single PPA key for the entire server!

I still stand by my original two points:
* A ppa uploader should have to have the server generate a key that the server will use to sign packages created by the server specifically for his/her PPA acount.
* A ppa uploader should have the ability to revoke his signature on the server.  If apt does not support revocation certificate lists, it should.  This is an important and critical part of any Public Key Infrastructure (PKI) system.

This would accomplish the following:
* Each PPA uploader would have a key for their selves
* Each PPA uploader would request the server to generate a keypair for the purpose of signing automatically generated packages by the server.
* The PPA uploader would sign the generated public key of the server for their account, indicating his trust, and indicating others can rely on his signature for trust (an exportable signature).
* Using the "web of trust" model, a user that trusts the PPA uploader, would in-turn be able to automatically trust the server-signed packages
* Complete automation for installations from PPA archives is possible this way!
* It uses the fundamental design principals of PKI.  This method is not new.  It is identical to the "web of trust" idea that was implemented by Phillip Zimmerman in PGP many years ago, and which was used as the basis for GNU Privacy Guard (GPG).

The reason that this particular method is important to use is that end-users should not be forced to trust ALL PPA packages.  Many of them are probably completely unsafe, and it is very easy for a user with malicious intent to create a PPA account.  It makes no sense to me to create one key used to sign all PPA packages.  This could easily be exploited by malicious scripts to download malicious PPA packages.

I would not endorse or recommend and method that uses a single key for the entire PPA server.  It breaks all of the fundamental purposes of code-signing, and becomes an instant security hole for every PPA end-user.  I don't know why we would even consider using a single PPA key for the entire server!