On Tue, Jun 29, 2021 at 08:37:56AM +0200, Bernhard Reiter wrote: > Am Sonntag 27 Juni 2021 18:56:15 schrieb Стефан Васильев via Gnupg-users: > > maybe interesting for some of you. > > https://wiki.debian.org/Teams/Apt/Spec/AptSign > > This does not have references on the problems it is claiming to address. > > No description of the context where it is supposed to be used > and what part it will play in the security.
I can fill it in here a bit. Debian doesn't sign individual .deb packages, but instead signs APT repository metadata. Traditionally, a PGP key was used for this, with the public counterpart being distributed either via the distro media itself (e.g. iso images), or via https-based downloads. With this change, they are replacing PGP with ed25519, but everything else remains pretty much the same -- the signing is done by centralized distro infrastructure. > Also there is no mention of how the trust relation of the public > keys will be established. The same as before -- they are downloaded with iso images, or retrieved from the website via https. While there is no built-in mechanics for distributing key revocation for ed25519 keys, this was not really a consideration before either (even if you can publish a revocation certificate for a PGP key used for this purpose now, very few people will know what to do with it). > So not yet possible to evaluate the page, it looke like a 0.2 draft > in a wiki and probably gets to the point of being an interesting proposal > later. Most notably, "Ditching OpenPGP" is wildly inaccurate. OpenPGP is still used for all other Debian maintainer operations -- it's only being replaced in one small area where key management and trust were used in least PGP-like ways. -K _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
