Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6140

Re: Concerns about Security of packages in Debain OS and the Operating system itself.

From Adam McKenna <adam@flounder.net>
Newsgroups linux.debian.devel, linux.debian.project, linux.debian.security
Subject Re: Concerns about Security of packages in Debain OS and the Operating system itself.
Date 2022-05-23 21:10 +0200
Message-ID <EqlBf-hrZh-3@gated-at.bofh.it> (permalink)
References <Edhc5-9nWW-1@gated-at.bofh.it> <Edj4d-9p3P-15@gated-at.bofh.it> <Edj4d-9p3P-13@gated-at.bofh.it> <Eqk2u-hr0G-3@gated-at.bofh.it> <Eql8d-hrAZ-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 3 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

> anyone stupid enough to abuse their position may only do so once, at
which point their GPG key is revoked.

You are talking about a deterrent though.  I think the question is, what if
someone cares more about their political cause than retaining their
uploader access?

What if someone's keys are compromised and an attacker uploads a
compromised package?

Do we have ways of detecting these breaches or do we rely solely on user
reports?

On Mon, May 23, 2022 at 11:22 AM lkcl <luke.leighton@gmail.com> wrote:

> On Mon, May 23, 2022 at 6:28 PM Adam McKenna <adam@flounder.net> wrote:
> >
> > > i believe the answer is in the question. debian is based on
> distributed trust.  i did the analysis (took 3 weeks): it is literally the
> only distro in the world with an inviolate chain of trust from a large
> keyring dating back 20 years that is itself GPG-signed as a package, with a
> package distribution chain from source where all components within the
> chain up to release are unbroken and inviolate.
> >
> > This is not an answer to the question though, OP was asking how we
> prevent abuse of that trust.
>
> reputation, and potentially criminal and civil proceedings.
>
> all identities are known, and inviolate-known [through the
> above-described chain].
> anyone stupid enough to abuse their position may only do so once, at which
> point their GPG key is revoked.
>
> given that GPG key-signing parties require people's real-world identities
> to be known, it is easy to track down who signed whose key (it's right
> there in the keyring-archive], and request that the signer provide
> assistance
> to the relevant authorities in proving that real-world identity.
>
> this will sufficiently piss off those people that trusted them that they
> will
> be unlikely to work with them ever again [reputation]
>
> in addition there is the Debian Trademark which if brought into disrepute
> through abuse could be utilised to seek damages against the perpetrator.
>
> bottom line is that it would be a spectacularly stupid thing to do to
> violate
> the trust and responsibility of being a Debian Maintainer, and the really
> interesting bit to me is that this all works in an entirely distributed
> manner
> and can all entirely be done entirely without a single centralised
> authority,
> i.e. *not* having to trust f*****g google or f*****g github with anyone's
> real-world identity in any way shape or form.
>
> l.
>

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Re: Concerns about Security of packages in Debain OS and the Operating system itself. lkcl <luke.leighton@gmail.com> - 2022-04-17 21:50 +0200
  Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Stephan Verbücheln <verbuecheln@posteo.de> - 2022-04-18 19:50 +0200
  Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Adam McKenna <adam@flounder.net> - 2022-05-23 19:30 +0200
    Re: Concerns about Security of packages in Debain OS and the  Operating system itself. lkcl <luke.leighton@gmail.com> - 2022-05-23 20:40 +0200
      Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Adam McKenna <adam@flounder.net> - 2022-05-23 21:10 +0200
        Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Adam McKenna <adam@flounder.net> - 2022-05-23 21:20 +0200
        Re: Concerns about Security of packages in Debain OS and the  Operating system itself. lkcl <luke.leighton@gmail.com> - 2022-05-23 21:30 +0200
        Re: Concerns about Security of packages in Debain OS and the  Operating system itself. Paul Wise <pabs@debian.org> - 2022-05-25 03:20 +0200
          Re: Concerns about Security of packages in Debain OS and the  Operating system itself. piorunz <piorunz@gmx.com> - 2022-05-25 14:10 +0200

csiph-web