[Catalog-sig] [Draft] Package signing and verification process

[Zygmunt Krynicki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

W dniu 06.02.2013 20:00, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 6:20 PM, Zygmunt Krynicki 
> <zygmunt.krynicki at canonical.com> wrote:
>> You would first download django (either signed or not) and get 
>> prompted if you want to trust the signer for that project (or if
>> the file was not signed, to trust this particular file for django
>> in the future).
> 
> Getting a lot of questions that you have no choice but to ask "yes"
> to is not really an increase in security. This doesn't in practice
> increase security against people writing "bad" software in one
> sense or another. It does increase the security against
> man-in-the-middle attacks, but we can get that without having to
> ask yes for every package we download. (have you any idea how many 
> packages are in Plone? ;-)) The warnings that signatures and keys
> have changed would be enough for that.

That is a one time operation. Still, I agree it's tedious and some
users might just blindly do "next" unless we can pre-seed the system
with trust somehow (and that's not something I think is possible).

I suspect that a middle ground _can_ be reached, where users would be
protected from some popular and easy attacks while some group of users
could choose into the more strict trust-based security.

>> I realize this interface is not perfect
> 
> Nothing is perfect! :-)
> 
>> but it solves practically all of the current issues. Most
>> importantly it can be applied to all existing software today, so
>> we get the benefits without asking everyone to fix their story.
> 
> I don't see how it solves the current issues unless everyone signs 
> their packages, which is asking people to fix their story.

Sorry, you are right. My example assumed you were familiar with what
I'm doing with distrust (https://github.com/zyga/distrust) where it
works just as well for current unsigned software.

Thanks
ZK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRErRGAAoJECiU6TooxntHdr0QAKy3sCM17Frcb5ARJSoPuCZs
9gH61bQk7XCDjchBGFLqnXWmrpksnBXqXACPsoCdyldy/wH7y0YoGysJgaKd0j0t
ttHKZFXUYGEkcVaGVxOFKL/UDRm+kSrkwAyw3c0WFgW9eeymrwaJ9//6dnfiVEPy
aDuJ7YVEFsUBQu+x6BuzFIFhgBWpsJC+U7z1p1A3Wq26RazxRtY6stjzWGXNtJZI
o91QqypK2BwX8P4+CQuJbHOqlcmBZGNJDaeJ/eYDb7SoaDNUiv9vALl3PTOsALAC
RHkJtlo8RL33yUth3bTBcU741yDJyBdhwh/DKEn/ntPeYS0qlHItkYkQFTINrG3Z
Cbm/MFgPmVK3IEWalwS9NFpzKdC7I5CXefsHT4whMnd/sYNz1qR9sbobkt173FkJ
faE52++ULA4tIjrf2c9tJQifx0mjGNWEOMivOkBQo/lVRIxUvUDXaNnXlzeboRvb
/tf1KseId3hAvi/3Aut9k4deSLUwvgaAFxolTx+m9F8oObsVOvS3i984Mr+5AC6A
q8W5UU+0Iyb0DwBeOLa3vJ9TOaEG1gpE/9YA0t1cPRMFnBJ4Ld4Mso9nilGkvLur
pehWTm4v5mLRnJIH9Me2p5bI70FDhX5cXpXLjjfkD/DY1+/smyncqcYTQR/4d/Px
9nV1Y3YmsMa1XsD9Yjtp
=HRFn
-----END PGP SIGNATURE-----