]] Wouter Verhelst > On Mon, Jun 08, 2015 at 09:12:51AM +0200, Tollef Fog Heen wrote: > > ]] Wouter Verhelst > > > > > Having said that, I do agree with you that we should not allow just > > > about anyone to create a repository which will be automatically trusted > > > by the whole Debian system. Establishing such a trust chain should, > > > indeed, require some vetting by at least one Debian Developer, so that > > > malicious packages can be rejected, if needs be. > > > > I've always been a bit unhappy about the idea of using keys to decide > > which repositories are trusted or not. The signature is there primarily > > to act as an anti-MITM tool. This is a bit similar (or maybe > > equivalent) to the difference between authentication and authorization > > for access control. > > What would you suggest instead?
With our current setup? I don't really know, I think we'd need to add some more information to some files. Currently, there's no binding between an apt repository as listed in sources.list and the corresponding key. There is also no link between an apt repository and allowed packages from that repository. I could see us extending the apt preferences format to be something like: Package: * Origin: Debian Allowed-Keys: 2B90D010, C857C906, 518E17E1 Package: foo Origin: fooCorp Allowed-Keys: ABCD, EF12, 1234 Default priority for an unlisted package is < 0 (so can't be installed). We should probably use fingerprints and not short key ids for the allowed-keys field (and we need something to manage them when doing dist-upgrades and such). -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/m2381wypoi....@rahvafeir.err.no
