On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote: > So if I wanted to attack 80% of all Debian machines all over the > world, I would try to compromise one of the 1000 keys, thereby > getting write access to the incoming queue. Then, I could NMU > a package and upload a trojaned version, best one that waits a year > before activating, just to make sure I actually hit stable.
What about a --paranoid option, which makes apt warn on several (slightly) suspicious changes: - NMUs - changes of maintainership - new maintainers (not maintaners new to debian, but maintainers I didn't implicitly trust before by having installed one of their packages) To make the last point more useful, one could add a concept of secondary signatures, and ask developers to review and certify packages of other developers. This could potentially reduce the number of developers one has to trust for a given installation. To give some numbers: On my laptop, which runs sid, and some packages from experimental, I have 1332 installed packages by 407 different maintainers. Not counting NMUs and ignoring groups of people (eg. "Debian GCC maintainers"), I'd be only vulnerable if one of these 407 keys are compromised. But 331 of these 407 maintainers have less than 5 packages installed on my computer, and 189 have only one. I guess this number could be vastly reduced by secondary signatures, bringing the number of people I'd have to trust down to, perhaps, 100-200. While this is still a large number, it's much better than 1000. (BTW I didn't verify this number - do we really have 1000 developers by now?) Please don't consider this as a proposal - it's just a spontanous idea, which may not be feasible. But then, perhaps it has some potential, so I wanted to share it. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
