On Mon, Dec 01, 2003 at 05:00:53PM +0000, Scott James Remnant wrote: > No Cc was necessary, I am subscribed to debian-devel.
Please set your Mail-Followup-To accordingly, then. > > If every .deb must be signed by a developer, and we assume that no > > developer leaves secret keys on public machines, then signed .debs does > > save the day. > > > How? See the next paragraph. > > Even if the attacker could place a new keyring file in the archive, > > people verifying signatures on signed .debs would not install it, since > > it would not have the signature of a developer. > > > What defines "the signature of a developer"? That their key is in the > keyring, so if a hax0r decided to comprise our keyring and add a key to > it, there'd be no way to tell that it wasn't a developer's key. You missed the point of the paragraph you quoted. If I run a machine that checks all incoming packages with debsigs, and refuses to install those that don't bear a valid signature, it will refuse to install the new compromised debian-keyring package since it will not be signed by a key on the existing keyring. Therefore, my own gpg will never see the attacker's key and will refuse to install packages bearing its signature.
