On Tue, Aug 21, 2018 at 01:39:29PM +0800, Paul Wise wrote: > On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote: > > > I want to make 3rd party keyring package (ITP). In the advance, I > > want to know a best practice about *keyring* packaging. Any hints? > > > sudo apt install -y -V --allow-unauthenticated foobar-keyring > > This is reasonable because there is no correct key yet before > > installing it. > > I don't think this is appropriate at all. Instead, always use an > out-of-band mechanism for confirming the appropriate OpenPGP keys. > Having the keyring package in Debian itself is a good idea, but at > very bare minimum, download the key or fingerprint from a website that > uses a valid TLS certificate according to the X.509 CA trust model.
Uh, what? You do realize that the CA cartel model is security theatre, intentionally subverted to provide so-called "responsible encryption"? To break it, you need to either: * control _any_ of thousands of CAs (not merely roots), many of which have already been caught issuing MITM certs or are otherwise well-known to be conducting massive scale MITM by other means. Some of those were papered over as "it was just a honest error, we swear!", some led to removal from ca-certificates -- all while multiple other CAs controlled by the same government are still there. * get hold of a SSL private key. Unlike gpg which can be done offline, SSL keys must be available on every front-end server all the time. Thus, having a trust anchor provided in the Debian archive would be a massive improvement. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition: ⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal [Mt3:16-17] ⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs [Mt14:17-20, Mt15:34-37] ⠈⠳⣄⠀⠀⠀⠀ • use glitches to walk on water [Mt14:25-26]
