On 07/14/2014 12:59 PM, Paul Wise wrote: > On Tue, Jul 15, 2014 at 12:45 AM, Hans-Christoph Steiner wrote: > >> I'd like to contribute to this effort > > First thing is to get #733029 fixed, which involves disabling signing > by default (signing should be done after testing not before) and > adding a signing tool to dpkg-dev. Then debsign/debuild need adapting > to the new default and the new signing tool. Then you can modify the > dpkg signing tool to sign .deb files using code from the old stuff and > convince the dpkg maintainers to accept it. Somewhere in there the old > approaches/code should be looked at, checked if they still work and > the old documentation and external websites (some of them only on > archive.org) and mailing list discussions.
I agree that dpkg-buildpackage should not sign try to sign by default unless the signer in debian/changelog matches the currently logged in person. But there should always be at least "builder" signature on every .deb. That signature is not there to testify that it is a tested release, it is there to verify that the package was not modified since the builder created it. The Android security model is a good example: you cannot even install an .apk (like an Android .deb) that does not have a signature in it. All .apks must have a valid signature in order to be installed. For debug builds, the Android build tools make it dead simple to use a debug key to sign .apks. .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53c40fcc.7050...@at.or.at
