Scott Kitterman <deb...@kitterman.com> writes:
> I think it's just that I view a signature by a mechanized service as
> something different that a signature made by an actual person.
> Technically you are correct, but I think it's fundamentally different.
> I don't think the computer is responsible for anything. I think it has
> to trace to a person if you want to talk about responsibility.
Okay, thanks, I think this is the core of our disagreement. Let me sum up
my side, just to be very clear about what I think the disagreement is.
I don't believe that "a signature made by an actual person" is something
that exists in the real world. Humans do not sign things. We do not have
an OpenPGP implementation in our heads. Signatures are always made by
software, running on a possibly compromised computer, directed by humans.
Any link between the human and the signature is a point of possible
attack.
For the existing source package signatures, a simplified sequence looks
like this:
human --> (1) dpkg-buildpackage --> (2) debsign --> (3) archive
For tag2upload, a simplified sequence looks like:
human --> (1) Git --> (2) tag2upload --> (3) debsign --> (4) archive
In our current system, the source package signature can be traced back to
(2). In the tag2upload case, the source package signature can be traced
back to (3) using the existing techniques and, with more work and new
techniques, all the way back to (1).
In neither case can the source package signature be traced back to a
human, which is what I am arguing makes them similar. What we're arguing
about is which system has the better design (both security and otherwise)
for the pieces prior to (2) in the first case and (3)/(1) in the second
case.
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
